Getty Images

Patient Privacy Incident Leads to Accidental PHI Disclosure

An Oklahoma hospital is notifying patients about a recent data breach.

Oklahoma Heart Hospital is notifying patients about a patient privacy incident that involved some patients’ protected health information (PHI) accidentally being donated to a charity.  

According to a statement Oklahoma Heart Hospital (OHH) published on July 12, the incident involved “limited patient information” and the hospital is “unaware of any actual or attempted misuse of patient information.”  

The protected health information (PHI) involved included medical diagnosis, lab results and treatment information.  

“On May 13, 2021, OHH became aware that handwritten notes containing information for a limited number of OHH patients had been mistakenly donated to charity by a former employee,” the statement reads. “The notes were created by the former OHH employee during the course of that individual’s employment from 2011 to 2014 and had been erroneously donated along with other personal items. OHH was made aware of the notes when an individual located the items and contacted OHH. OHH promptly regained possession of the notes.” 

The hospital, which has two hospital locations and 60 clinics across the state of Oklahoma, immediately opened an investigation into the incident.  

“OHH’s investigation revealed that the donations were made in May 2021, shortly before OHH was contacted by the individual who initially found the handwritten notes,” the statement says. “OHH immediately undertook efforts to collect and catalog all of the notes in order to identify potentially affected patients. OHH determined, through its investigation, that the information potentially at risk included a limited number of OHH patients’ names, medical record numbers, OHH visit numbers, dates of birth, ages, admit dates, genders, and clinical information consisting of diagnosis, lab results, medications and/or treatment information.”  

OHH stated that no patient medical records were involved in the breach and the hospital’s patient record systems remain secure. 

The hospital has no evidence that any patient information was misused but out of “an abundance of caution” OHH is mailing notices to impacted patients.  

“The notification letters include information about the event and steps that can be taken to safeguard one’s information,” the statement reads. “Specifically, OHH encourages impacted patients to remain vigilant against incidents of identity theft and fraud by reviewing their account statements and explanations of benefits for suspicious or anomalous activity. Any suspicious activity should be promptly reported to the appropriate provider, insurer, or financial institution.” 

The hospital created a dedicated call center for patients to contact with questions or concerns. The call center can be reached at 1-833-468-1010 from 8:00 am to 5:00 pm EST, Monday through Friday, excluding national holidays. 

Next Steps

Dig Deeper on Cybersecurity strategies