652 Patients have PHI Exposed in UAB Medicine Breach

A breach of patients’ protected health information (PHI) at the UAB Medicine Viral Hepatitis Clinic in Birmingham, AL has been discovered.

UAB Medicine uses flash drives to send data from its Fibroscan machine to another computer. On October 25, 2017, two flash drives were found to be missing from their normal locations. The portable storage devices held a limited amount of PHI of 652 patients.

Information held on the devices included first and last names, gender, birth dates, images and numbers relating to test details, medical prognosis, names of referring physician, and the dates and times of the examinations held.

UAB Medicine has revealed that no Social Security details, financial data, insurance details, addresses, or phone numbers were held on the flash drives.

A rigorous search of Viral Hepatitis Clinic was carried out, but the flash drives could not be found. The review into the breach is ongoing. It is not yet known whether the flash drives were mistakenly disposed of, lost within the facility, or if they were taken illegally. UAB Medicine therefore cannot confirm whether the PHI on the devices has been viewed by unauthorized people.

The breach of PHI has lead to UAB Medicine to review its security measures and putting in place safeguards to prevent similar incidents from occurring in the future. All patients affected by the incident were advised of the breach by mail recently.

Due to the limited nature of data that was accessible, patients are not thought to face a high risk of identity theft and fraud. As a safety measure, patients have been told to monitor their credit reports for any evidence of fraudulent activity.

Since the potential for unauthorized access of PHI cannot be eliminated, UAB Medicine is also providing patients impacted by the incident one year of credit monitoring and reporting services for freee.