A Health Information Portability and Accountability Act (HIPAA) breach was recently discovered, which might affect the privacy and security of certain health information of some obstetrics and gynecology (OB/GYN) patients treated at Regional One Health (ROH).
The breach may have included the following patient information: first and last name, medical record number, age, date of admission, allergies, service, resident assigned, parity, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, type of infant feeding, and information regarding follow up care.
It is important to note that no other protected health information (PHI), such as date of birth, address, social security number, credit card information, bank account information, or other financial information, was involved.
Through an agreement with ROH, residents from the University of Tennessee Health Science Center see patients at the hospital. Residents are supervised by fully licensed physician faculty members of the University of Tennessee Health Science Center. Beginning in November 2014, the University of Tennessee Health Science Center contracted with a company called KMJ Health Solutions, Inc. (KMJ) to procure a patient handoff software for use by their OB/GYN residents that helps support the appropriate transfer of care and responsibility of patients from one health care provider to another.
On or about November 29, 2023, KMJ reported a security incident to the University of Tennessee Health Science Center after detecting an outage with its computer network server. KMJ’s technical experts immediately erased and reformatted the impacted server’s hard drive. KMJ also hired a cybersecurity firm to assess the nature and scope of KMJ’s malfunctioning server to determine whether it presented any potential threats to KMJ’s computer systems. The investigators were unable to find artifacts or indicators to make a definitive ruling.
On January 18, 2024, KMJ notified the University of Tennessee Health Science Center that its host provider, Liquid Web, had discovered evidence of a ransomware attack. Whether or not the unauthorized person(s) who initiated the ransomware attack on KMJ’s server downloaded a copy of KMJ’s eDocList PHI data, such that any unauthorized person(s) would still have access to the PHI, is unknown.
The information stored on KMJ’s affected server included PHI of patients who received OB/GYN services at ROH between November 2014 and November 2023.
In the aftermath of the incident and on an ongoing basis, KMJ’s internal team continues to work diligently to fortify their systems further. In response to this event, they have implemented new technical safeguards, including, without limitation, vulnerability scans, penetration testing, and configuration reviews.
As previously mentioned, no financial or bank account information was compromised. Therefore, it does not appear that affected patients face any significant risk of identity theft or harm to their credit. However, affected patients are encouraged to be on the lookout for any letters, emails, phone calls, other communications from unknown or unverified persons wanting to discuss the services they received during the relevant time frames at ROH or seeking additional information from the patient. Affected patients should be careful to discuss such patient care information only with health care providers and hospital representatives after confirming their identity. Those who are concerned about potential identity theft or harm to their credit may choose to monitor their credit reports or consider placing a fraud alert on their credit report free of charge. Additional information and resources on this can be found on the Tennessee Attorney General’s Consumer Protection website at https://www.tn.gov/tbi/crime-issues/crime-issues/identity-theft.html and on the Federal Trade Commission’s website at https://consumer.ftc.gov/features/identity-theft.
The information contained in this notice is also available on the University of Tennessee Health Science Center’s website at www.uthsc.edu, and ROH’s website at www.regionalonehealth.org.
The University of Tennessee Health Science Center and its affiliates and contractors, including KMJ as the University of Tennessee Health Science Center’s contractor, are committed to safeguarding patients’ PHI and will continue to seek to enhance the privacy and security of all PHI in their care. Those seeking additional information regarding this incident may call the University of Tennessee Health Science Center’s Institutional Compliance Office at 1.888.953.4484, Monday through Friday, between 8 a.m. and 5 p.m. Central Time.