The University of Arkansas for Medical Sciences (UAMS) has discovered a breach of patient information and is notifying the affected patients.
On Nov. 29, 2021, UAMS became aware that a former employee sent emails from her UAMS email to her personal Gmail account with patient information attached on November 15, 2021, while still employed with UAMS. The attachments consisted of Excel spreadsheets used for internal billing compliance auditing purposes and/or billing statements addressed to UAMS for reimbursement. The information included the names of 518 patients, their hospital account numbers, dates of service, insurance type, claim information for billing purposes and medical record numbers. For a handful of patients, their dates of birth and medication information were also included. The former employee, who voluntarily left UAMS, contends it was a mistake.
No credit card, debit card, bank account, address, driver’s license or Social Security numbers were included in this information. The attachments did not include any clinical documents or medical records, such as progress notes by physicians, nurses or other health care providers, medical history or lab results.
UAMS is notifying affected patients by mail and through its website.
“UAMS takes patient privacy and security seriously, and when we discovered this mistake, we did everything we could to mitigate the risk and prevent similar incidents from happening,” said Heather Schmiegelow, J.D., UAMS HIPAA privacy officer.
Immediately upon discovering the incident, UAMS filed a police report with the UAMS Police Department. The UAMS Vice Chancellor of Compliance contacted the former employee about the seriousness of the matter. The former employee explained that it was a mistake. She further explained in writing that it was an unintentional error on her part, and she did not retain or share any of the information.
UAMS has policies and procedures to safeguard and protect the privacy and security of patients’ health information, and all employees are trained on these policies and procedures. Every year, all employees are required to complete annual HIPAA training. UAMS HIPAA training includes topics such as employees using and accessing patients’ health information for legitimate, authorized purposes needed to perform their job duties. It also addresses using secure and encrypted email and not using employees’ personal email to send and receive health information of UAMS patients.
If UAMS patients have questions or concerns, they may contact the UAMS HIPAA Office by email at hipaa@uams.edu, by phone at 501-603-1379 or toll free at 1-888-729-2755. They may also call the UAMS Compliance Hotline at 1-888-511-3969 after-hours and on holidays.
