The University of Iowa Hospitals and Clinics (UIHC) notified HHS’ Office of Civil Rights of a data breach attributable to an error by a student employee which exposed the Protected Health Information (PHI) of 5,292 patients to the Internet for more than a year.
According to the breach notification, the teaching hospital student error occurred in 2016 when a student employee of UIHC used GitHub to program a data transfer of PHI. However, rather than labelling his programming as private, the repository remained publicly visible. This meant the repository, its coding, and its contents was available to anybody with Internet access.
The impermissible disclosure of PHI was not noticed by UIHC or by any of its workforce until April 29, 2017, when the visibility of the repository was changed to private. Because the nature of the impermissible disclosure did not meet any of the exclusion criteria in §164.402, the breach was notifiable to HHS’ Office for Civil Rights, the media, and affected individuals.
The Consequences of the Teaching Hospital Student Error
Despite the data breach being attributable to a teaching hospital student error, it is not clear whether the student was sanctioned or the member of staff responsible for the Enterprise GitHub account – who should have set the default visibility to “internal visibility only”. However, as a result of the teaching hospital student error UIHC was required to:
- Update its Security Rule Risk Management Plan
- Implement periodic technical and nontechnical evaluations
- Provide HIPAA training to workforce members responsible for programming.
HHS’ Office for Civil Rights took no further action after obtaining documented assurances from UIHC that the teaching hospital had implemented the corrective actions listed. However, although UIHC was not fined for the teaching hospital student error on this occasion, the incident could have significant financial consequences in the future.
The Potential Consequences for Future Data Breaches
When HHS’ Office for Civil Rights and State Attorneys General assess whether to take further action against a covered entity, one of the considerations taken into account is the covered entity’s previous history of HIPAA compliance. Unfortunately UIHC has a poor track record of HIPAA compliance.
Following the discovery of the teaching hospital student error in 2017, UIHC subsequently notified HHS’ Office for Civil Rights of a second teaching hospital student error in 2019 which resulted in the impermissible disclosure of PHI to research students. HHS’ Office for Civil Rights took no further action again, but is now investigating a third incident.
The third incident is a data breach at UI Community Home Care in which cybercriminals were able to hack a cloud storage volume. According to a class action lawsuit filed after the hacking incident was notified to HHS’ Office for Civil Rights, the security measures implemented on the cloud storage volume are alleged to have been “cheap and inefficient”.
This lawsuit is the second of two against UIHC related to HIPAA violations. In May 2023, a lawsuit was filed in the U.S. District Court for the Southern District of Iowa alleging UIHC unlawfully, negligently, and recklessly disclosed patients’ private information to Facebook, without obtaining patient consent.
This alleged breach has not yet been notified to HHS’ Office of Civil Rights; and, if the lawsuit proves successful, UIHC will not only be investigated for an impermissible disclosure of PHI to Facebook, but also for delaying notifications for longer than the 60 days allowed by the Breach Notification Rule. In this case, it is more than likely that the teaching hospital’s previous history of HIPAA compliance will be taken into account – including the 2016 teaching hospital student error.