MEMPHIS, Tenn. — Officials are in the process of assessing a Health Information Portability and Accountability Act (HIPAA) breach affecting information for some obstetrics and gynecology (OB/GYN) patients from UTHSC who received services at Regional One Health (ROH).
A blog from ROH said the breach affected some patients from the University of Tennessee Health Science Center who were seen at the hospital. ROH said it has an agreement with UTHSC, which contracts with KMJ Health Solutions, Inc. to support the UTHSC OB/GYN residents and patients.
Hospital officials said KMJ reported a security incident to UTHSC about Nov. 29, 2023 after a network server outage. KMJ then began work to minimize the risk, and on Jan. 18, 2024, KMJ told UTHSC that its host provider LiquidWeb discovered a ransomware attack.
ROH said KMJ’s affected server included information for UTHSC patients who received OB/GYN services at the hospital between November 2014 and November 2023.
KMJ is continuing to work on fortifying its systems and implementing new safeguards.
A statement to ABC 24 from ROH stated: "UTHSC made us aware of a security breach with their vendor. UTHSC contracted with this vendor to supply a product for use by their OB/GYN residents. We worked with UTHSC to identify patients who might have been affected, and it is our understanding that UTHSC has communicated directly with affected patients. Regional One Health takes the safeguarding of patient information seriously. Regional One Health has not experienced a security breach."
So what does this mean for patients?
ROH said the breach may have included the following:
- First and last name
- Medical record number
- Age
- Date of admission
- Allergies
- Service
- Resident assigned
- Parity
- Diagnoses
- Prenatal provider
- Laboratory results
- Medications
- Fetal or delivery details
- Contraception
- Type of infant feeding
- Information regarding follow up care.
ROH said no protected health information, such as date of birth, address, social security numbers, credit card information, bank account information, or other financial information was affected.
What should patients do?
ROH said, “it does not appear that affected patients face any significant risk of identity theft or harm to their credit.” They said patients should be on the lookout though for letters, emails, or other communications from unknown people wanting to discuss services or trying to get information from them. Only discuss information with health care providers and hospital representatives after confirming their identity.
For more information, check the Tennessee Attorney General’s Consumer Protection website at https://www.tn.gov/tbi/crime-issues/crime-issues/identity-theft.html and the Federal Trade Commission’s website at https://consumer.ftc.gov/features/identity-theft.
The information contained in this notice is also available on the University of Tennessee Health Science Center’s website at www.uthsc.edu, and ROH’s website at www.regionalonehealth.org.
Those seeking additional information regarding this incident may call the University of Tennessee Health Science Center’s Institutional Compliance Office at 1.888.953.4484, Monday through Friday, between 8 a.m. and 5 p.m. Central Time.
