The names, admission dates and medical record numbers of 5,292 patients of University of Iowa Health Care were accessible over the Internet for around 2 years as a result of an error configuring an application development website.
University of Iowa Healthcare reports the data were exposed in May 2015 and remained accessible over the Internet until May 1, 2017 when the website was secured. University of Iowa Healthcare was notified of the matter on April 29 by a third party.
That individual was an expert security researcher, indicating the discovery did not result in any further disclosure of the information. However, it is unclear whether any other individuals gained access to the data during the time the information was unprotected. University of Iowa Healthcare reports that its investigation of the breach did not uncover evidence to suggest the information had been accessed. UIHC spokesperson Tom Moore said, “To our knowledge, the files had limited views.”
The exposed data was limited and did not include any financial information, insurance details, clinical data, or Social Security numbers. Individuals affected by the incident have now been notified and advised to exercise caution nonetheless and monitor Explanation of Benefits statements for any sign of data misuse. Notification letters were dispatched on June 22, 2017.
The breach prompted UIHC to conduct a comprehensive risk analysis to identity vulnerabilities that could threaten the confidentiality of protected health information. Issues uncovered by the risk analysis have now been addressed and information security has been improved. UIHC is also increasing oversight of the development and management of custom databases and will be tightening its processes to prevent future incidents of this nature from occurring.
UIHC will also be retraining employees on data privacy and providing further education to individuals on the use of authorized tools to move data sets.