The UT Health Science Center Physicians at a Memphis Partner hospital recently announced a data breach.
What happened
On March 15th, the University of Tennessee announced they had faced a HIPAA breach, which impacted the obstetrics and gynecology practices at Regional One Health (ROH) in Memphis.
Currently, UT has an agreement where residents from the University’s Health Science Center can see patients at ROH while overseen by a fully licensed physician. Furthermore, UT is also contracted with KMJ Health Solutions, which produces patient handoff software for residents designed to support the transfer of patient care from providers. Unfortunately, KMJ reported a data breach at UT’s Health Science Center on November 29th, 2023. KMJ found the breach after detecting an outage within the network server.
What’s new
Now, UT has issued a press release sharing that patient data was impacted. The press release shared that the following information may have been accessed: first and last names, medical record numbers, ages, dates of admission, allergies, services, resident assigned, parity, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, type of infant feeding, and information about follow up care.
Going deeper
When the initial breach happened to KMJ’s computer network server, the company brought in technical experts to erase and reformat the impacted hard drive. KMJ also brought in a third-party cybersecurity firm to investigate and assess the scope of the breach.
The investigation was inconclusive; the firm was unable to definitively determine if there were any additional potential threats to KMJ’s computer systems.
Adding to the complexity, KMJ received notice on January 18th, 2024, that the breach had been initiated against KMJ’s website host provider, Liquid Web. It’s unknown whether any data from KMJ’s server, such as PHI information, was downloaded or accessed. Information on the server spanned November 2014 to November 2023 and could impact patients who received care from ROH over that time period.
What they said
In UT’s statement, the university shared that “KMJ’s internal team continues to work diligently to fortify their systems further. In response to the event, they have implemented new technical safeguards, including, without limitation, vulnerability scans, penetration testing, and configuration reviews.”
UT is advising past patients to be on the lookout for letters, emails, phone calls, or other communications from unverified persons who may attempt to gain additional information. Lastly, UT stated they and their affiliates are “committed to safeguarding patients’ PHI and will continue to seek to enhance the privacy and security of all PHI in their care.”
Why it matters
This data breach stresses the complexity of information storage. Many organizations, like UT, work with other medical organizations and software companies. Even if UT had the highest levels of security, they were still impacted by security failures in other organizations.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
