A surgeon at Lexington-based University of Kentucky HealthCare recently sent two emails containing detailed patient information to roughly 60 individuals, including a news producer at ABC 36.
The producer, Morgan Henry, had no connection to the hospital, but said she graduated from UK's journalism school more than a year ago.
The emails contained patients' last names and included personal information such as their medical conditions. For example, the email contained details about a woman with Alzheimer's disease that states: "needs comfort care, but family not willing. She will die soon. Family does not want to talk." The subject line reads, "confidential."
To assess potential damage from the breach, ABC 36 called the hospital and provided the operator with the information it had on various patients, including last names, the area of hospital they were in and their medical details. The news outlet said it was connected to a patient's room or a nearby nurse's station almost every time.
UK HealthCare provided the following statement to ABC 36 after the news outlet alerted the hospital to the error:
"Thank you for bringing the inadvertent sending of an email to our attention. Immediate action has been taken by UK HealthCare regarding this incident.
"Protecting patient privacy is of the utmost importance and of the highest priority for UK HealthCare and we provide extensive training on our privacy policies and procedures to all employees. However, mistakes sometimes do occur. In such cases, UK HealthCare's corporate compliance office engages our standard procedures which are to investigate and mitigate each incident or occurrence.
"In this specific case, an email with patient information was inadvertently sent to someone who was not intended to be included. This issue has been reported to the UK HealthCare privacy officer who began an investigation of the incident. The privacy officer will work to ensure that the email address recipient list is corrected and conduct a HIPAA (Health Insurance Portability and Accountability Act) breach risk analysis. Additionally, notification will be made to any patients as required by federal or state law."
The hospital's chief privacy officer sent a notice to Ms. Henry requesting she delete the email. It's not clear whether other recipients received similar requests.
HHS' Office for Civil Rights only requires healthcare organizations to report breaches involving at least 500 patients, so it is unlikely the hospital will have to report the breach to the federal agency.