UT Southwestern Medical Center (UTSW) in Texas submitted a breach report to the HHS’ Office for Civil Rights (OCR) involving an email-linked unauthorized access/disclosure incident that affected the protected health information (PHI) of about 43,048 patients.
As per the substitute breach notice posted on its webpage, UTSW knew about the privacy incident on October 10, 2024. Employees were utilizing a third-party calendar management application which unintentionally permitted the vendor to gain access to selected calendars and, sometimes the calendars contained the patients’ PHI.
The investigation showed that workers put patient information on the third-party application which involved names, birth dates, telephone numbers, medical record numbers, date(s) of appointed services, medical diagnoses, laboratory test data, medication details, insurance benefits details, and, for selected patients, incomplete Social Security numbers.
The breach notice doesn’t provide any information on the length of time the workers used the calendar program, if UT Southwestern Medical Center had specifically allowed employees to utilize the tool, or if they were permitted to access patients’ PHI using the tool.
According to HIPAA laws, when a third-party application is utilized in association with electronic protected health information (ePHI), a business associate agreement (BAA) must be signed with the vendor. It seems that is not the case. If there had been a signed BAA, this incident would not have been a reportable data breach.
UTSW mentioned it did not receive any report of misuse of patient information due to this incident. The medical center will mail the notifications immediately to the impacted persons. UTSW stated it has enforced procedures to control the amount of data disclosed to third-party suppliers and will continue tracking for sensitive information that gets out of its network and systems.
When it comes to data breaches, this year is not a good one for UTSW. The medical center had three breaches reported to OCR this year, and this incident is the 6th data breach reported since 2020. An unauthorized individual accessed its electronic medical record system and impermissibly accessed the ePHI of 778 individuals in September. Unauthorized individuals accessed the PHI of 1,956 patients in March because of using unapproved software.
Three breaches involved hacking and unauthorized access to 98,437 patients’ ePHI in May 2023. The Clop Group took advantage of a zero-day vulnerability in the MOVEit Transfer solution of Progress Software. Before that, UTSW reported two unauthorized disclosure incidents, one impacted 3,640 records in 2021 and another impacted 15,535 records in 2020.
Image credits: JHVEPhoto; AdobeStock
