A healthcare system located in Kentucky is notifying more than 40,000 patients of an error that saw their personal health information (PHI) emailed to the wrong address.
UofL Health, which is based in Louisville, consists of five hospitals, four medical centers, nearly 200 physician practice locations, more than 700 providers, the Frazier Rehab Institute and Brown Cancer Center.
Earlier this month, the system notified the Health and Human Services Office for Civil Rights of an email security incident involving the unauthorized disclosure of data belonging to 42,465 individuals.
Patients’ PHI was put at risk when it was erroneously sent to an email address outside of the health system’s network. According to UofL, the accidental recipient of the data did not view or access any patient information.
The healthcare system, which employs more than 12,000 physicians, surgeons, nurses, pharmacists and other highly skilled health care professionals, did not state what data was contained within the email.
In a notice posted to its website, UofL Health stated: “On June 7, we sent some of our patients a letter explaining that we had recently discovered that some UofL Health emails containing some of their health information were sent to an external domain. We provided that notice based on our best knowledge as of that day.”
The notice went on to say that the email had since been deleted and that the safety of the data had been investigated.
“The next day, on June 8, we received a response from the owner of the external domain, providing us with technical evidence that the emails we were concerned about were never viewed or accessed, and have been deleted,” said UofL Health.
“We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner.”
Patients whose data was impacted by the incident have been offered free identity protection services.
Earlier this year, Kentucky-based Health Plan Humana was affected by a data breach that impacted 62,950 plan members. Cotiviti, one of the company’s subcontractors, inappropriately disclosed data to unapproved individuals for training purposes for three months from October 2020.