Software development projects within the healthcare sector pose a legitimate risk for breaches of protected health information (PHI). A reported breach of PHI from the University of Iowa Health Care shows how sensitive information can be exposed through an application development site.
UI Health Care was engaged in developing an online application involving patient data. On April 29, they discovered PHI of 5,300 individuals was exposed in unencrypted form on their app’s development site.
A third party who uncovered the data reported it to UI Health Care, prompting UI to delete the files in question on May 1. The investigation noted the exposed PHI in the files included patient names, dates of admission, and medical record numbers.
The root cause was found to be an employee leveraging open source programming tools while developing the web application. The PHI files were not made private and were left on the site after completion of the project.
UI Health Care noted efforts to prevent similar breaches of information in the future:
- Tightening the process for development and management of custom databases
- Educating staff and students about how and when to use tools designed to store sensitive data
- Enhancing employee training on data privacy
This event demonstrates how easily health information can be exposed over the Internet… ultimately leading to a breach.
Employee negligence resurfaces again in this data breach. Proper oversight and workforce training are the key administrative safeguards to address this vulnerability. To mitigate the human variable, healthcare organizations should consider using test data for projects under development to keep PHI safe from compromise.