DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Two University of Florida breaches in 2013 that I seem to have missed

Posted on January 5, 2014 by Dissent

Just stumbled across these while searching for something else and I don’t recall ever seeing them before – from UF’s web site:

UF Beaches Women’s Health Specialists Lab Tests Inadvertently Sent to Baptist Medical Center
Published: July 15th, 2013

The University of Florida (UF) is notifying 142 patients of the University of Florida Beaches Women’s Health Specialists seen by Kristin Caldow, M.D. that had sexually transmitted disease (STD) testing performed from August 2012 to June 2013.   Due to an administrative error, lab test results for patients of Dr. Caldow were sent to Baptist Medical Center Beaches in Jacksonville.  Baptist Medical Center Beaches retained the lab test results in anticipation of these patients becoming patients of Baptist.  After receiving lab test results for several months for patients who did not become patients of Baptist, in June 2013, Baptist notified the UF Beaches Women’s Health Specialists of its receipt of these lab test results.  In response, an employee of UF Beaches Women’s Health Specialists went to Baptist and collected all copies of the lab test results of patients that were mistakenly sent to Baptist and returned them to UF Beaches Women’s Health Specialists.  UF also instructed the outside lab to cease sending lab test results of Dr. Caldow’s patients to Baptist.  The lab results sent to Baptist also included patients names, addresses, home phone numbers, dates of birth, the last four numbers of their social security number, test results, and ordering physician information for Dr. Caldow.

Documents

  • Copy of letter by UF officials (PDF, 153 KB)
  • Answers to Commonly Asked Questions (PDF, 165 KB)
  • Identity Theft Brochure (PDF, 1.08 MB)

AND:

UF Department of Medicine Clinic Unauthorized Patient Record Access
Published: March 7th, 2013

JACKSONVILLE, Fla. — The University of Florida is notifying 151 patients that their personal and medical information was inappropriately accessed by an employee of the UF Department of Medicine Clinic at Emerson in Jacksonville. An employee was found to have accessed the accounts of 151 patients in a UF electronic medical record system. The employee did not have a legitimate business reason to access these patient accounts. 30 of the accounts accessed by this employee were of her co-workers and other UF employees who were patients of UF physicians. The employee had access to the electronic medical record system in furtherance of her job duties as a medical assistant. Once in a patient’s account in the electronic medical record system the employee was able to view patient name and date of birth, demographic information such as address, the patient’s social security number and medical information concerning the patient.

Florida law requires that patients be notified when their social security number is accessed by unauthorized parties without a legitimate business need or patient consent.

It is unclear why the employee viewed the patient information of these 151 patients, however, it is suspected that the employee may have known these individuals personally, and they may be friends, family or acquaintances of the employee. We do know that 30 of the patients whose accounts she accessed were co-workers and UF employees.

The employee was hired as a part time employee in November of 2102 and became a full-time employee in December of 2012. The inappropriate access was first reported to the UF Privacy Office on February 4, 2013 and after an investigation was conducted and the employee was interviewed, the employee’s employment was terminated on February 7, 2013.

The employee had completed 2 on-line UF privacy training courses and also attended a 30 minute live privacy session during new employee orientation. The employee knew or should have known that accessing the patient accounts without a legitimate business reason was in violation of UF policy.

The University of Florida has sent a letter notifying all of the patients whose information had been accessed by this employee. The UF privacy Office mailed the patient letters Thursday, March 7. The mailings included a brochure that outlines ways individuals can safeguard their financial information and provides a privacy office hotline number 1-866-876-HIPA if they have questions.

Documents

  • Answers to Commonly Asked Questions (Updated 3/5/2012)
  • Copy of letter by UF officials (PDF, 92 KB)
  • Identity Theft Brochure (PDF, 44 MB)

UF had five breaches reported in 2013 (not all involved patient data), but three of the five involved insiders stealing or accessing patient data for malicious purposes like tax refund fraud schemes.

Because two of the breaches involved less than 500 patients, they did not appear on HHS’s public breach tool, but presumably were reported to HHS. So the question is…. what is HHS doing about all these breaches at UF? How many more breaches do they have to have before there’s enforcement action to get them to better prevent and/or detect problems?

Related posts:

  • Baptist Health alerts patients to ID theft
  • (update) Police and Hospital Workers Find, Remove More Boxes Of Stolen Medical Records
  • Small-Scale Violations of Medical Privacy Often Cause the Most Harm
Category: Health Data

Post navigation

← The Directors Guild of Canada Hacked, 2000+ Credentials leaked
Another University of Florida breach that flew under my radar →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.