DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Two University of Florida breaches in 2013 that I seem to have missed

Posted on January 5, 2014 by Dissent

Just stumbled across these while searching for something else and I don’t recall ever seeing them before – from UF’s web site:

UF Beaches Women’s Health Specialists Lab Tests Inadvertently Sent to Baptist Medical Center
Published: July 15th, 2013

The University of Florida (UF) is notifying 142 patients of the University of Florida Beaches Women’s Health Specialists seen by Kristin Caldow, M.D. that had sexually transmitted disease (STD) testing performed from August 2012 to June 2013.   Due to an administrative error, lab test results for patients of Dr. Caldow were sent to Baptist Medical Center Beaches in Jacksonville.  Baptist Medical Center Beaches retained the lab test results in anticipation of these patients becoming patients of Baptist.  After receiving lab test results for several months for patients who did not become patients of Baptist, in June 2013, Baptist notified the UF Beaches Women’s Health Specialists of its receipt of these lab test results.  In response, an employee of UF Beaches Women’s Health Specialists went to Baptist and collected all copies of the lab test results of patients that were mistakenly sent to Baptist and returned them to UF Beaches Women’s Health Specialists.  UF also instructed the outside lab to cease sending lab test results of Dr. Caldow’s patients to Baptist.  The lab results sent to Baptist also included patients names, addresses, home phone numbers, dates of birth, the last four numbers of their social security number, test results, and ordering physician information for Dr. Caldow.

Documents

  • Copy of letter by UF officials (PDF, 153 KB)
  • Answers to Commonly Asked Questions (PDF, 165 KB)
  • Identity Theft Brochure (PDF, 1.08 MB)

AND:

UF Department of Medicine Clinic Unauthorized Patient Record Access
Published: March 7th, 2013

JACKSONVILLE, Fla. — The University of Florida is notifying 151 patients that their personal and medical information was inappropriately accessed by an employee of the UF Department of Medicine Clinic at Emerson in Jacksonville. An employee was found to have accessed the accounts of 151 patients in a UF electronic medical record system. The employee did not have a legitimate business reason to access these patient accounts. 30 of the accounts accessed by this employee were of her co-workers and other UF employees who were patients of UF physicians. The employee had access to the electronic medical record system in furtherance of her job duties as a medical assistant. Once in a patient’s account in the electronic medical record system the employee was able to view patient name and date of birth, demographic information such as address, the patient’s social security number and medical information concerning the patient.

Florida law requires that patients be notified when their social security number is accessed by unauthorized parties without a legitimate business need or patient consent.

It is unclear why the employee viewed the patient information of these 151 patients, however, it is suspected that the employee may have known these individuals personally, and they may be friends, family or acquaintances of the employee. We do know that 30 of the patients whose accounts she accessed were co-workers and UF employees.

The employee was hired as a part time employee in November of 2102 and became a full-time employee in December of 2012. The inappropriate access was first reported to the UF Privacy Office on February 4, 2013 and after an investigation was conducted and the employee was interviewed, the employee’s employment was terminated on February 7, 2013.

The employee had completed 2 on-line UF privacy training courses and also attended a 30 minute live privacy session during new employee orientation. The employee knew or should have known that accessing the patient accounts without a legitimate business reason was in violation of UF policy.

The University of Florida has sent a letter notifying all of the patients whose information had been accessed by this employee. The UF privacy Office mailed the patient letters Thursday, March 7. The mailings included a brochure that outlines ways individuals can safeguard their financial information and provides a privacy office hotline number 1-866-876-HIPA if they have questions.

Documents

  • Answers to Commonly Asked Questions (Updated 3/5/2012)
  • Copy of letter by UF officials (PDF, 92 KB)
  • Identity Theft Brochure (PDF, 44 MB)

UF had five breaches reported in 2013 (not all involved patient data), but three of the five involved insiders stealing or accessing patient data for malicious purposes like tax refund fraud schemes.

Because two of the breaches involved less than 500 patients, they did not appear on HHS’s public breach tool, but presumably were reported to HHS. So the question is…. what is HHS doing about all these breaches at UF? How many more breaches do they have to have before there’s enforcement action to get them to better prevent and/or detect problems?

Category: Health Data

Post navigation

← The Directors Guild of Canada Hacked, 2000+ Credentials leaked
Another University of Florida breach that flew under my radar →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.