The health care facility plans to mail impacted patients who had surgery or were seen by a neurosurgeon from January to June 2010. Some patient data included name, address, date of birth, medical record number and date of service. Others also included more sensitive information such as diagnoses, medications, surgical and other procedure names, and lab results.
The breach came to light after the resident physician shared the records with her attorney during a wrongful termination lawsuit hearing.
“UAMS does not allow its employees, including residents, to keep medical record information after leaving UAMS, and we are not sure why this resident kept all of this information,” according to a Web site page on the breach. “She informed us that she intended to use some of it for research, but assured us that she had not actually done research on the data. She also used some of the information in her lawsuit against UAMS, which is a lawsuit regarding her termination from UAMS. She assured us that she did not share this information with anyone other than her attorney. UAMS’s attorneys have also seen these document. Both the residents’ attorneys and UAMS’s attorneys have Business Associate Agreements that ensure they protect the confidentiality of this information. There is also a court order in place to ensure these documents remain confidential.”
No financial data or Social Security numbers were involved, but officials are suggesting anyone worried about identity theft should obtain credit reports and consider placing a fraud alert.
News reports identified the resident as Nasrin Fatemi, M.D., who complained prior to her dismissal that she was being treated differently from male residents. The lone female resident at that time, Fatemi formally complained of gender discrimination, and on June 3 she was fired by the incoming program chair.
Her attorney maintains Fatemi did not violate UAMS policy and that hospital officials knew she had the records. UAMS authorities claim the patient data came to light in October during court hearing related to her lawsuit.
The Little Rock hospital suffered a larger data breach earlier this year when billing information on 7,000 interventional radiology patients between 2009 and 2011 was sent via a Web-based email service without having patient identifiers removed. The data was later destroyed by the recipient, and the employee that failed to de-identify the data was disciplined for violating UAMS policies.