Health Data of UMC Physicians Patients Uploaded to Unapproved and Unsecured Cloud Service

The medical group UMC Physicians based in Lubbock, TX notified UMC Southwest Gastroenterology patients that some of their protected health information (PHI) was compromised due to the errors committed by two of its hired service providers.

The service providers used a Google shared drive for tracking follow up tasks associated with giving care to patients. Although the shared drives were acquired with the good intention of helping provide better care to patients, the providers made the mistake of using an unapproved cloud storage solutions. Consequently, an unsecured network was used to store patient information.

UMC Physicians learned about the violation of policy on March 12, 2019 and investigated the incident to find out if there was exposure of patients’ PHI. During the investigation, UMC Physicians also found out that one provider was sending emails that contain patient data to an unprotected Gmail account.

The following patient information was saved on the unsecured network and forwarded to the Gmail account: names, addresses, phone numbers, medical record numbers, birth dates, dates of service, health insurance providers, diagnoses, and medical treatments done. There was no highly sensitive data like insurance policy numbers, Social Security numbers or financial data exposed.

After discovering the incident, UMC Physicians provided further employee training on using approved cloud storage solutions. To avoid the use of unauthorized cloud storage solutions in the future, UMC Physicians also implemented particular technical controls.

To date, there’s no evidence found that indicate the access of patient data by unauthorized persons or the misuse of patient data. UMC Physicians already mailed breach notification letters to all patients whose PHI were compromised. The exact number of affected patients is still unclear at this time.