The medical center has filed another breach to the Department of Health and Human Services (HHS).
What Happened
The University of Texas Southwestern Medical Center (UTSW) recently submitted a breach report to the HHS’ Office for Civil Rights (OCR) regarding a data breach that impacted the protected health information (PHI) of approximately 43,048 patients.
UTSW reported that the breach was linked to an email that was either accessed or disclosed without authorization. The medical center stated they discovered the breach on October 10th, 2024, but required additional time to investigate the incident.
Accessed information may have included names, birth dates, telephone numbers, medical record numbers, date(s) of services, medical diagnoses, laboratory test data, medication details, insurance benefit information, and for some, incomplete Social Security numbers.
UTSW currently believes that there has not been any misuse of patient information and are mailing out notifications to impacted individuals.
In the know
According to UTSW, employees used a third-party calendar management application that unintentionally allowed the vendor to access certain calendars, some of which contained PHI. It’s unclear how long the access took place or if the employees who initially had access were permitted to do so.
UTSW has faced three breaches this year and six since 2020. In September, 778 individuals had their electronic PHI accessed by an unauthorized individual. In March 1,956 individuals had their data accessed because UTSW was using unapproved software. Other past breaches involved hacking, unauthorized access, and data leaks as the result of third-party vendors being violated. Overall, well over 100,000 individuals have been impacted.
What’s next
For UTSW, these breaches are a sign to significantly improve their cybersecurity measures. Breaches often occur as crimes of opportunity, meaning that attackers target organizations because they seem vulnerable. With UTSW gaining a reputation for being a victim of data breaches, it’s possible that it could continue to be targeted.
On top of this, multiple breaches could draw attention from the OCR, especially if breaches have similar causes. If the OCR believes these breaches could have been preventable, or that UTSW was acting negligently, the medical center could face hefty penalties.
The big picture
Patients trust their providers to keep their data safe. Many patients are unaware of all of the different vendors healthcare organizations work with, making data breaches resulting from third-party issues confusing and alarming. With so many impacted, it’s also possible that UTSW patients were victims in multiple UTSW reaches.
Data breaches, especially repeated ones, can lead to fraud and identity theft for patients. It can also heavily erode patient trust, which could lead to patients switching providers or filing lawsuits.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
