Holly Fletcher

USA TODAY NETWORK – Tennessee

Vanderbilt University Medical Center will be sending letters to more than 3,000 patients whose personal information was inappropriately accessed by a pair of patient transporters.

An audit of electronic patient files conducted by the VUMC Privacy Office found that two people who worked as patient transporters looked at 3,247 medical records between May 2015 and December 2016, according to a release from VUMC. The employees accessed information from adult and pediatric records, including names, birth dates, and medical record identification numbers. In a few instances one person had the ability to see social security numbers.

There is no indication that the information was downloaded, transferred or used in other ways. The letters to patients are already in the mail, according to a VUMC spokeswoman. The breach is being reported, as required by law, to the U.S. Department of Health and Human Services.

“We are committed to providing our patients the highest quality care and protecting the confidentiality of their personal information. To our knowledge, the information the employees viewed was not printed, forwarded or downloaded. So far, we have no reason to believe that our patients’ personal information has been used or disclosed in other ways,” John Howser, VUMC's chief communications officer, said in a statement. “While we are not aware of any risk of financial harm to these patients, we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.

Employees who work as patient transporters move people around between rooms, floors or test areas. A patient transporter, for example, will move a person from a hospital room to a CT-scanner on another floor.

The two employees — staff of VUMC, not contractors — looked at the information via electronic record, not paper files. Howser said VUMC took disciplinary action against the two employees but declined to comment on the nature of the action citing internal policy.

Breaches are common at health care providers, said Beth Pitman, counsel in Waller's Birmingham office, who is not connected to the VUMC incident. Nearly nearly two thousand have been reported via HHS' online system since 2009.

Health care providers are required to report breaches that impact 500 patient records or more. Incidents are sometimes intentional, such as by an employee who wants to leak information about a well-known individual, or thefts but many are errors.

HHS's Office of Civil Rights investigates every reported incident. It may take two years before a final federal report is issued.

Howser declined to comment on what brought the breach to officials' attention in December or the employees' motives.

In what Howser described as "an abundance of caution," VUMC will enroll patients whose social security number was accessed in a one-year membership to credit monitoring firm Experian Family Secure to help protect against identify theft.

The decision to enroll people in a credit monitoring service is a common, and recommended practice, said Pitman.

The breach prompted the medical center to change the way the patient transport staff gets information so that it no longer gives them access to electronic medical records. Staff in that department were also retrained about appropriate access to information.

VUMC is in the process of migrating from its current electronic health record system to a new software system designed by Epic Systems. The switch will allow the health system to structure more job-specific access to records, said Howser.

Reach Holly Fletcher at hfletcher@tennessean.com or 615-259-8287 and on Twitter @hollyfletcher.