Cardiothoracic Patient Research Breach
The University of Florida is notifying 617 patients that their social security numbers were provided to a national database designed to provide benchmarking data to heart surgery centers. The patient names, social security numbers and limited medical information were provided by UF Cardiothoracic surgeons to a national database sponsored by the Society of Thoracic Surgeons (STS). The information was provided to the STS for quality assurance purposes so that UF Cardiothoracic surgeons submitting data could receive benchmarking data from the STS intended to improve the quality of care for heart surgery patients.
Florida law requires that patients be notified when their social security number is released to third parties without their consent. Neither the STS nor its data warehouse business partner have reported any breach or other unauthorized access or disclosure of any patient information from the database.
While it is unlikely that the patient information disclosed to the STS database was subsequently disclosed to unauthorized persons or used for unlawful purposes, the University of Florida has sent a letter notifying all of the patients whose social security numbers had been disclosed to the STS national database that their information had been submitted to the database.
In 2008, the STS began collecting social security numbers to enhance their analysis of clinical data of heart surgery patients and link with information contained in other databases, such as ones maintained by the Centers for Medicare and Medicaid Services with the aim of improving patient care. A large percentage of the heart surgery centers across the country participate in the STS database.
STS contracted with the Duke Clinical Research Institute (DCRI) to provide data warehouse and analysis services. According to the attorney for the STS, the database warehouse contractor DCRI has exhaustive policies and procedures in place for protecting the privacy and security of patient data.
STS also allows DCRI to release the patient information to medical researchers after approval by the Duke Institutional Review Board. According to the STS, any disclosure of patient information from the database for research purposes is in compliance with federal privacy and research regulations.
UF had a comprehensive written agreement with STS to allow STS to act on its behalf to store and analyze the patient information and provide to UF benchmarking data allowing comparison with other heart surgery centers across the nation.
According to UF policy, the release of patient social security numbers to third parties for non-routine business purposes requires approval from the University. Despite the protections in place to protect the privacy and security of patient information in the database, the release of patient social security numbers to a national database for quality assurance purposes and possible medical research without UF prior approval was in violation of University of Florida policy.
The UF privacy office mailed the patient letters Thursday, April 7. The mailings included a brochure that outlines ways individuals can safeguard their financial information and provides a privacy office hotline number 1-866-876-HIPA if they have questions.
- Answers to Common Questions Regarding Cardiothoracic Patient Research Breach (PDF, 80 KB)
- Copy of letter by UF officials (PDF, 61 KB)
- Identity Theft Brochure (PDF, 109 KB)