OU Physicians Notifies Patients of Potential Privacy Matter

Revised May 24, 2017

OU Physicians is committed not only to providing quality care, but also to the proper handling and protection of its patients' information. As part of its commitment to patient privacy, and out of an abundance of caution, OU Physicians is sending letters to certain individuals to notify them of a potential privacy matter.

On February 8, 2017, (not February 13, 2017, a originally reported) the University of Oklahoma became aware that a resident provider in the Department of Medicine who had been involved in the treatment or care of some of its patients had set his University email account to automatically forward his email messages to his personal email account from mid-2013 through mid-February 2017. The University did not have specific information about the security of the resident provider’s personal email account, so University personnel conducted a review of the matter, which included interviewing the provider, confirming account security settings, and reviewing account activity.

The University determined in its thorough review of this matter, which it completed on March 9, that the provider forwarded his University email messages to his personal account to make it more convenient for him to respond quickly to messages regarding clinic schedules, assignments, patient care, and other matters. In an abundance of caution, the University is making approximately 1,600 patients aware that it was possible for the forwarded email messages to have been viewed by someone not authorized to see them. These patients will receive one of three letters, based on what information was in the email messages. Some messages included name and limited medical information (diagnosis, medication list, and/or laboratory tests); some included that information and date of birth; and 88 included Social Security number as well. Neither the University nor the provider has any knowledge that any of the messages were viewed by an unauthorized person.

In response to this occurrence, the University has adopted more specific policies regarding the automatic forwarding of email messages that include patient information. The provider is no longer using automatic forwarding and has deleted these messages from his personal account. The technology that automatically forwards email messages to personal email accounts has been disabled from resident provider accounts and training on other ways for workforce members to securely transmit these types of email messages off campus is in place.

No negative impact to patients is anticipated, but the University does take this matter seriously and understands that some patients may have concerns. Patients may monitor their credit report by obtaining a free credit report annually from certain credit reporting services, as described at http://www.ftc.gov/freereports. In addition, to ensure any concerns are addressed, the University is offering to provide a one-year subscription to credit monitoring and reporting services at no cost to the patients involved. Individuals who believe they may be affected may call 405-271-2511 or toll-free at 1-866-836-3150 for additional information.