How many patient data breaches can a covered entity have before HHS OCR opens a serious investigation into their compliance with the HIPAA Security Rule?
According to DataBreaches’ count, UT Southwestern Medical Center in Texas has disclosed at least four breaches since July 2023. As a brief recap of the first three:
- In July 2023, UT Southwestern Medical Center notified HHS that 98,437 patients had protected health information stolen in the MoveIT breach in May. Clop’s exploitation of vulnerabilities in the file transfer software became the biggest breach of 2023, affecting more than 2,000 organizations and tens of millions of individuals.
- On March 27, 2024, UT Southwestern Medical Center notified HHS that 1,956 patients had been affected by a breach that did not involve any attack or cyberattack. That incident was reportedly linked to internal use of unapproved software that enabled unauthorized individuals to access patient data. Patient addresses, medical status, health insurance, and dates of birth may have been accessed.
- In September 2024, UT Southwestern Medical Center notified HHS and patients that on August 12, they learned that an unauthorized individual gained access to patient registration information in their EMR system at their Frisco medical office building. Information including name, address, date of birth, Social Security number, driver’s license number, and financial, medical, and health insurance details of 778 patients could have been accessed impermissibly.
What Happened Now?
And now there’s been another breach, although it seems that UT Southwestern Medical Center has not individually notified all the 40,668 patients potentially affected — or at least, not yet. The Texas Attorney General’s Office was notified of the breach on December 10, but it is not clear whether HHS is being notifed or whether patients will be notified individually. But HHS should take note of this incident.
A notice on UT Southwestern Medical Center’s website states, in part:
On Oct. 10, 2024, UT Southwestern was made aware of an unintentional improper disclosure of protected health information. UT Southwestern has received no indication that the information has been used inappropriately but is notifying those involved out of an abundance of caution and in accordance with UTSW policy.
Workforce members using a third-party calendar management tool inadvertently permitted vendor access to some calendars, which in some instances included patients’ protected health information. This may have included information such as name, date of birth, medical record number, phone number, date of service of planned services, medical diagnosis, lab results, medication information, insurance benefits information, and, in some instances, partial social security numbers. It did not include credit card numbers or other financial account information.
For how long did this inadvertently permitted access go on? And importantly: does this mean that UT Southwestern routinely uses an online third-party calendar management tool that includes protected health information in clear text? This calendar management tool is an online tool that presumably a large number of individuals might have access to. Does access even require multifactor authentication?
Perhaps it is time for HHS OCR to audit UT Southwestern Medical Center to look at its risk assessment and compliance with the HIPAA Security Rule. Given how many people have their login credentials stolen by infostealers or they re-use credentials that have been stolen in attacks, does the medical center have appropriate security for its calendar management tool and other PHI data?
Inspection of HHS’s public breach tool indicates that there has been no closed investigation into any of these four incidents.