The resident was terminated in 2010 and filed suit. The university learned of the breach when the resident produced documents during lawsuit proceedings on Oct. 9, 2012, according to a statement from the university. The university learned a month later that its attorneys already had been provided some documentation in June 2012. “The records are now protected by a court order, which prevents them from becoming a public record and will prevent anyone from further using or disclosing the documents,” according to the university.
The resident under oath said she did not share the documents with anyone but her attorneys under a business associate agreement. The resident took some documents for research that was not done, and took other documents to use in the lawsuit. Protected information in the documents included patient names, partial addresses, medical record numbers, dates of birth, ages, care locations, dates of service, diagnoses, medications, surgical and other procedure names, and laboratory results. No Social Security numbers or financial information was included in the documents.
A university spokesperson did not respond to an e-mail asking if affected patients would receive paid credit and/or identity theft protection services.
An informational Web page set up for patients says: “The former UAMS physician and the attorneys involved are not individuals we would be concerned with attempting to steal patient identities, so we have determined that there is not a risk of financial harm as a result of this breach. However, if you are worried about identity theft, we recommend that you contact the three credit reporting agencies to obtain a copy of your credit report and also to place a fraud alert on your file.”