Notice to ophthalmology patients of a privacy breach
November 1, 2019
Washington University School of Medicine is committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns a security incident at our Department of Ophthalmology and Visual Sciences (the “Ophthalmology Department”) that may have involved some of that information.
On Sept., 3, 2019, we learned that a small number of patients had received a letter regarding an Ophthalmology Department employee. We quickly began an internal investigation and determined that the letter was sent by an individual who had a personal relationship with the employee. The individual took the employee’s personal laptop and used it to access the employee’s Washington University School of Medicine email account between April 29 and Sept. 3, 2019. We immediately took steps to secure the employee’s email account, and a leading computer forensic firm was engaged to assist with our continued investigation.
The investigation was not able to determine which, if any, emails or attachments in the employee’s email account were viewed by the unauthorized individual. We, therefore, conducted a review of the emails and attachments contained in the email account to identify patient information that may have been in the account. As a result of that review, on Oct. 21, 2019, we determined that emails or attachments in the email account contained patient information, which may have included patient names, dates of birth, medical record numbers, and limited treatment and/or clinical information, such as diagnoses, provider names, and/or prescription information. In some instances, patients’ health insurance information and/or Social Security numbers were also included in the account.
This incident did not affect all School of Medicine patients, but only those Ophthalmology Department patients who had information contained in the employee’s email account.
In an abundance of caution, we are mailing letters to patients whose information was identified in the account. We have also established a dedicated toll-free call center to answer questions for affected patients. If you have questions, please call (844) 996-1023, Monday through Friday from 8 a.m. to 5:30 p.m. central time. For any patient whose Social Security number was contained in the email account, we are offering complimentary credit monitoring and identity protection services. We also recommend that affected patients review any statements they receive from their health insurers or healthcare providers. If they see charges for services not received, patients should contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff on best practices for passwords and are making additional security enhancements.