The health system says the patient data was mistakenly posted on a web development server and was spotted by a member of the public who called.

A large university health system in Iowa has inappropriately posted patient data. And it took two years for the University of Iowa Hospitals and Clinics to realize it had mistakenly posted the partial medical records of 5,300 patients online.

On April 29 University of Iowa Health Care discovered that in May 2015 a limited set of data containing protected health information of approximately 5,300 patients was inadvertently saved in unencrypted files that were posted online through an application development site. Two years later the health system deleted the files.

Information contained in the electronic files included patient names, dates of admission and medical record numbers. The files did not contain clinical information such as diagnosis or treatment notes, Social Security numbers or credit card and other financial information, the hospital says.

The health system became aware of the incident 'after being spotted by a member of the public who called.'

University of Iowa Health Care sent letters to impacted patients on June 22, but only publicly disclosed the error in the last two days. The health system also says it has detected no inappropriate use of the posted patient data but will continue to monitor the situation.

“While the information included in the files was very limited, we are advising individuals of steps to help prevent and detect misuse,” University of Iowa Health Care says.

advertisement

The health system says the patient data was mistakenly posted on a web development server and became aware of the incident “after being spotted by a member of the public who called.”

University of Iowa Health Care is tightening its procedures about database and electronic health records management and is conducting more staff training to prevent future incidents, a hospital spokesman says.

The violation has been reported to the U.S. Department of Health and Human Services Office of Civil rights, which enforces and fines hospitals for patient data privacy violations.

By law hospitals are required to notify the federal government within 60 days of an incident.

advertisement

The health system says it does take the patient data violation seriously. “UI Health Care understands the serious nature of any potential breach—no matter how limited—so it has conducted a thorough investigation, identified and mitigated the risks, and strengthened its training and information oversight efforts to prevent a similar occurrence.”

University of Iowa Health Care operates a 761-bed teaching hospital based in Iowa City.

Favorite