Emory Healthcare has notified 24,000 patients that their information was accessible after a former physician placed patient files on a Microsoft cloud account overseen by an Arizona medical school.
The former Emory physician, who now works for the University of Arizona College of Medicine, obtained and placed patient files on a OneDrive account that was accessible to “individuals set up with a specific UA email account,” according to a notice posted by Emory. The Atlanta-based system was notified about the incident in October after the University of Arizona conducted an investigation.
The hospital added that “it has no reason to believe patient information was actually viewed by anyone outside of EHC other than former EHC physicians who now work for the UA, limited UA staff and those at UA investigating this incident.”
RELATED: OCR—5 ways to fight internal health data breaches
The files were limited to patients that received radiology services at Emory between 2004 and 2014. The information stored on the cloud server included diagnostic and medical data, but no Social Security numbers or financial information.
Emory reported the incident to the Department of Health and Human Services on December 15 after mailing notices to the affected patients. The health system said its reviewing security measures and employee education programs to prevent future incidents.
Earlier this year, Emory reported its online appointment system had been hacked, impacting information for nearly 80,000 patients.