Unapproved and Unsecured Cloud Service Used to Store UMC Physicians Patients Health Data

The UMC Physicians medical group based in Lubbock, TX sent notifications to UMC Southwest Gastroenterology patients regarding the compromise of some of their protected health information (PHI) resulting from the judgement mistakes of two of UMC’s service providers.

To track follow up tasks on providing patient care, the service providers each utilized a Google shared drive. They acquired the shared drives in good faith looking to give better patient care. However, they made the mistake of getting the drives from an unapproved cloud storage service resulting to the storage of patient data in an unsecured network.

UMC Physicians found out about the policy violation on March 12, 2019 and determined to find out if there was PHI exposure through investigation. While investigating, UMC Physicians found out as well the sending of emails containing patient information to an unsecured Gmail account by one provider .

The patient information stored on the unsecured network and those forwarded to the Gmail account included: names, phone numbers, addresses, birth dates, dates of service, medical record numbers, health insurance companies, diagnoses, and treatments. No insurance policy numbers, financial information, Social Security numbers or other highly sensitive information was exposed.

Because of the incident, UMC Physicians employees received further training on cloud storage solutions. So that unauthorized cloud storage solutions will not be used again, UMC Physicians set certain technical controls.

At this point, no evidence indicated patient data access or misuse by unauthorized people. UMC Physicians by now sent by mail breach notifications to all patients affected by the breach. There’s no exact number of affected patients yet at this time.