Emory Healthcare (EHC) recently learned that some EHC patients’ protected health information was located on a University of Arizona College of Medicine Microsoft Office 365 OneDrive Account. The files were obtained and placed on the account by a former EHC physician who now works at the University of Arizona (UA). The physician took this action without the authorization or knowledge of EHC.

Based on information disclosed to us by the UA from their investigation, it is our understanding that the information may have been accessible to individuals that were set up with a specific type of UA e-mail account, but there is no indication that the information was accessed or used in any way while on the OneDrive Account. EHC has no reason to believe patient information was actually viewed by anyone outside of EHC other than former EHC physicians who now work for the UA, limited UA staff and those at UA investigating this incident.

The UA took immediate action to remove the information from the OneDrive account and hired a third-party forensic firm to review the account. The UA has confirmed that all EHC patient information has been deleted from its systems and we have no reason to believe that misuse of anyone’s information in the future is likely.

On October 18, 2017, EHC received a list of the files that were located on the OneDrive account, and is notifying impacted patients about this incident by mail. The files primarily contained information about patients who received radiology services at EHC from 2004 to 2014. The information included patients’ names, and in some cases dates of birth, dates of service at EHC, provider names, medical record numbers, diagnostic/treatment information and treatment locations.

The files did not include Social Security number, drivers’ license number, address, phone number, credit card information or any financial information.

Affected patients should refer to the notice they will receive in the mail regarding steps they can take to protect themselves. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.

EHC apologizes for this situation and for any concern it may cause patients. Moving forward, the organization is further reviewing and working to enhance its security measures and patient care team education programs to help prevent something like this from happening in the future.

Affected patients may obtain additional information by calling a confidential, toll-free inquiry line at 1-877-494-9830, between 9:00 a.m. and 9:00 p.m., Eastern Time, Monday through Friday.