Story

UF Notifies Patients in Privacy Incident

The University of Florida is notifying 617 patients that their social security numbers were provided to a national database designed to provide benchmarking data to heart surgery centers. The patient names, social security numbers and limited medical information were provided by UF Cardiothoracic surgeons to a national database sponsored by the Society of Thoracic Surgeons (STS). The information was provided to the STS for quality assurance purposes so that UF Cardiothoracic surgeons submitting data could receive from the STS benchmarking data intended to improve the quality of care for heart surgery patients.

Florida law requires that patients be notified when their social security is released to third parties without their consent. The STS or its data warehouse business partner have not reported any breach or other unauthorized access or disclosure of any patient information in the database.

While it is unlikely that the patient information was disclosed to unauthorized persons or used for unlawful purposes, the University of Florida has sent a letter notifying all of the patients whose social security numbers had been disclosed to the STS national database.

In 2008, the STS began collecting social security numbers to enhance their analysis of clinical data of heart surgery patients and link with information contained in other databases, such as the Centers for Medicare and Medicaid Services with the aim of improving patient care. A large percentage of the heart surgery centers across the country participate in this database and submit patient social security numbers without patient authorization.

STS contracted with the Duke Clinical Research Institute (DCRI) to provide data warehouse and analysis services. According to the attorney for the STS, the database has exhaustive policies and procedures in place for protecting the privacy and security of patient data.

STS also allows DCRI to release the patient information to medical researchers after approval by the Duke Institutional Review Board. According to the STS, any disclosure of patient information from the database for research purposes is in compliance with federal privacy and research regulations.

UF had a comprehensive written agreement with STS to allow STS to act on its behalf to store and analyze the patient information and provide to UF benchmarking data allowing comparison with other heart surgery centers across the nation.

According to UF policy, the release of patient social security numbers to third parties for non-routine business purposes requires approval from the University.

Despite the protections in place to protect the privacy and security of patient information in the database, the release of patient social security numbers to a national database for quality assurance purposes and possible medical research without UF prior approval was in violation of University of Florida policy.

The UF privacy office mailed the patient letters Thursday, April 7. The mailings included a brochure that outlines ways individuals can safeguard their financial information and provides a privacy office hotline number if they have questions.

Additional documents:
Letter to Patients
Incident Summary
Identity Theft Brochure