UK HealthCare Public Notice, December 13, 2017

On three separate occasions, UK HealthCare employees mailed billing statement letters to the incorrect patients.  The information included the patients’ identifiers and treatment information.  It did not contain the patients’ social security numbers, or financial information.  UK HealthCare notified the affected individuals.

A UK HealthCare systems update caused an invitation message with instructions for patients to sign up for the online patient health portal to be sent out to the incorrect recipients.  This resulted in five patients creating online portal accounts that connected them to a different patient’s account.  The information viewed included health information about the patients’ visits to UK HealthCare.  The error was corrected and all portal accounts were closed within two hours of the occurrence. UK HealthCare notified the affected individuals.

A UK HealthCare employee’s vehicle was broken into and a portable ultrasound machine was taken. The information on the hard drive of the machine included 15 patients’ demographics and ultrasound scans.  UK HealthCare notified the affected individuals.

UK HealthCare gave a registration packet with patient information to the incorrect patient.  The information was limited to the patient’s name, date, time, and location of the appointment, and the name of the treating physician.  UK HealthCare notified the affected individual.

A UK HealthCare patient’s receipt for payment was given to the incorrect recipient.  The information was limited to the patient’s identifiers and their appointment information. It did not contain the patient’s phone number, birthdate, social security number, insurance information, or financial information. UK HealthCare notified the affected individual.

A UK Healthcare visiting medical student accessed a patient’s medical records outside their scope of duty. The information accessed was limited to the patient’s identifiers and specific UK HealthCare visits.  UK HealthCare notified the affected individual.

UK HealthCare scheduled an appointment with the incorrect patient; this caused a patient’s appointment reminder to be given to the incorrect recipient.  The information was limited to the patients’ identifiers and their appointment information. It did not contain the patient’s phone number, birthdate, social security number, insurance information, or financial information. UK HealthCare notified the affected individual.

UK HealthCare mailed a pathology report to the incorrect patient. The information included the patient’s identifiers and diagnosis information. It did not contain the patient’s social security numbers, or financial information. UK HealthCare notified the patient, and the recipient of the report notified UK HealthCare that it had been destroyed.

UK HealthCare mailed dentistry registration forms for three patients to another patient. The forms included contact information for all three patients, as well as social security numbers and dates of birth for two of the patients. The records were returned to UK HealthCare by the recipient and the affected individuals were notified.

UK HealthCare mailed a clinic letter to the incorrect patient. The letter contained the patient’s identifiers, diagnosis, medications and treatment information. It did not include the patient’s social security number or financial information. UK HealthCare notified the affected individual.

UK HealthCare mailed a CT scan summary to the incorrect patient. The report contained the patient’s identifiers, treatment and diagnosis information. It did not include the patient’s social security number or financial information. UK HealthCare notified the affected individual.

A UK HealthCare employee discussed a patient’s care outside of their job duties. The information contained the patient’s identifiers and treatment information. It did not include the patient’s social security number or financial information. UK HealthCare notified the affected individual.

A UK HealthCare employee discussed information for five patients in a non-secure area. The information contained the patients’ identifiers and appointment information. It did not include the patients’ social security numbers or financial information. UK HealthCare notified the affected individuals.