A physician at the University of Arkansas for Medical Sciences sent financial data to an outside individual for analysis, resulting in a breach of protected health information affecting about 7,000 patients.

The physician sent the information in February and intended on removing all patient identifying information, but the academic health center learned on April 6 that identifiers remained in the information.

Affected patients were treated in the interventional radiology unit between 2009 and 2011. No financial or Social Security account numbers were in the information, but it included names, UAMS account numbers, service dates, procedures, diagnosis codes, charges and payments. The recipient of the data assured the university that he did not disclose the information elsewhere and did not look at or use patient names during the financial analysis, according to UAMS. The information has been destroyed.

The university says the physician “has been placed in the disciplinary process for violating UAMS policies,” according to a statement. Affected patients have been notified. The university is not offering paid credit protection services and explained the rational in an e-mail to Health Data Management:

“Because the nature of the data does not pose a risk of financial harm, we are not offering credit monitoring.  The data contained no Social Security numbers, dates of birth, or demographic information (addresses, etc.) that could be used for identity theft or other types of financial fraud.  Because the data did contain names and information about the patients’ condition (their diagnosis code and the procedure they had done) there is a risk of reputational harm (someone finding out what disease they had), and that is why we are notifying patients.  We would not want to cause undue alarm by making patients think that there was a risk of identity theft as a result of this incident.”

The Arkansas incident is at least the fifth major data breach reported in about two weeks. Others and the number of affected patients include the Utah Department of Health (780,000), Emory Healthcare (315,000), South Carolina Department of Health and Human Services (228,435) and St. Elizabeth’s Medical Center in Boston (6,831).

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access