The medical information of 24,000 Emory Healthcare patients was left unsecured when a former Emory doctor placed patients’ records on a University of Arizona account that was not secured.
Emory said on Friday that the doctor, who now works at the University of Arizona, took the electronic medical files without Emory’s knowledge. The records were placed on a University of Arizona College of Medicine Microsoft Office 365 OneDrive Account, Emory said in a statement.
OneDrive is a “cloud” account for storing documents. Emory said the information may have been accessible to people that had a specific type of University of Arizona email account.
Emory declined to identify the doctor. The files that were compromised contained information about patients who received radiology services at Emory Healthcare from 2004 to 2014.
The records included patients’ names, diagnostic and treatment information, dates of birth for some patients, dates of service at Emory, the medical provider’s name, medical record numbers and treatment locations.
Whether the private health information was ever improperly accessed isn’t clear.
Emory said “there is no indication that the information was accessed or used in any way while on the OneDrive Account” or that patient information was actually viewed by anyone other than Emory staff, the former physician who took the records and limited University of Arizona staff and investigators.
Emory said the University of Arizona took immediate action to remove the information from the account and hired a forensic firm to review it. All Emory patient information has been deleted from the Arizona systems, Emory said.
Emory Healthcare “apologizes for this situation and for any concern it may cause patients,” Emory said in a statement. “Moving forward, the organization is further reviewing and working to enhance its security measures and patient care team education programs to help prevent something like this from happening in the future.”