Vanderbilt University Medical Center (VUMC) has announced that it will be sending breach notification letters to over 3,000 patients as a result of unauthorized access to PHI by two patient transporters.

According to the announcement, VUMC audited its medical records (as it is required to do by  HIPAA), and found that two individuals who worked as patient transporters accessed 3,247 patient records between May of 2015 and December of 2016 and were unauthorized to do so. The information accessed included data from adults and minors, including names, dates of birth, medical record numbers, and in some cases, Social Security numbers.

According to the release, there is no indication that the two individuals further disclosed the PHI or downloaded or used the data.  

This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.