A healthcare provider in Kentucky admitted that personal health information (PHI) belonging to its 40,000 patients was erroneously disclosed to unintended parties.
UofL Health is a multi-system health system that runs more than 200 physician practices and hospitals, more than 700 providers, and the Frazier Rehab Institute and Brown Cancer Center.
According to the notification filed with the federal agency Health and Human Services Office for Civil Rights, an incident compromised the personal data of 42,465 individuals.
The sensitive information was accidentally sent to an email address that was not in the network.
The healthcare system did not provide details about the data contained in the email.
In a notice posted to its website, UofL Health stated: “On June 7, we sent some of our patients a letter explaining that we had recently discovered that some UofL Health emails containing some of their health information were sent to an external domain. We provided that notice based on our best knowledge as of that day.”
The email was deleted and the data was investigated, according to the rest of the notice.
However, the healthcare provider, assures that no one has see that sensitive information.
“The next day, on June 8, we received a response from the owner of the external domain, providing us with technical evidence that the emails we were concerned about were never viewed or accessed, and have been deleted,” said UofL Health. “We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner.”
Following an incident where a patient’s data was compromised, the affected individuals were offered free identity protection.
Such human errors led to data breached before. In October 2020, in a similar incident, Health Plan Humana experienced a data breach because of a mistake by the company’s subcontractor that affected over 60,000 health plan members.