A professor at the University of Utah is filing a complaint with HHS' Office for Civil Rights and the Federal Trade Commission about the way that a health care system shared patient data prior to a state Medicaid data breach, the Salt Lake Tribune reports (Stewart, Salt Lake Tribune, 6/18).
Recent Utah Data Breach
In April, the Utah Department of Health announced that a data breach occurred on March 30 as Utah Department of Technology Services technicians were exchanging computer servers.
Stephen Fletcher -- executive director of UDTS -- said it appeared that "very sophisticated" hackers used passwords to access a server, but officials are uncertain about how the hackers bypassed security.
The breach affected the personal information of about 800,000 Medicaid and Children's Health Insurance Program beneficiaries. The stolen information included about 280,000 Social Security numbers (iHealthBeat, 4/30).
Details of the Allegations
Leslie Francis -- a health law professor at the university and former chair of Utah's Health Data Committee -- said she learned that her personal information was exposed during the Medicaid breach and decided to investigate the issue.
She said her information likely was sent to UDOH by a health care provider inquiring whether she was covered by Medicaid. Francis -- who is insured by her employer -- said that none of her health care providers indicated in their privacy notices that they might send patients' personal information to the state's Medicaid program.
Francis said she believes that Salt Lake Regional Medical Center -- which is owned by IASIS Healthcare -- shared her information with UDOH.
She claimed that IASIS' privacy notice violates HIPAA because it does not contain sufficient details about how it handles patient data. She also alleged that IASIS' privacy notice might be misleading enough to be considered unfair trade practice.
Response to Allegations
Officials from IASIS repeatedly declined requests to explain their patient data sharing policy, according to the Tribune.
Ed Lamb, IASIS western division president, said, "Salt Lake Regional Medical Center takes privacy and confidentiality extremely seriously, and will work with individuals to resolve any issues" (Salt Lake Tribune, 6/18).