The Daniel Drake Center for Post-Acute Care (DDC) at UC Health recently suffered an instance of unauthorized EHR access, potentially affecting patient PHI security.
On June 2, 2017, the UC Health Privacy Office learned that an employee of the Cincinnati-based healthcare center had accessed patient health records – without proper authorization – between July 29, 2015 and June 2, 2017.
Potentially accessed information included patient names, home addresses, dates of birth, medical record numbers, diagnoses and condition, lab results, treatments, and medication information.
According to a statement released by the healthcare center, approximately 4,721 patients may have been affected by the breach.
However, DDC stated no patient Social Security numbers were included in the accessed medical records.
The employee responsible for the breach has since been terminated upon confirmation of the instance of unauthorized access.
DDC began mailing advisory notices to potentially impacted patients on August 1, 2017. The healthcare center has also established a dedicated call center to answer any questions from concerned patients.
DDC is also extending one year of free credit monitoring and identity theft protection services to any patients seeking additional security measures.
Following the incident, DDC has implemented additional security controls to periodically monitor EHR access at the facility. Additionally, DDC is conducting in-depth information security training and education with all staff regarding appropriate EHR access and the importance of patient confidentiality.
With EHR adoption nearly ubiquitous in hospitals and health systems nation-wide, unauthorized EHR access has become a persistent security problem in recent years.
According to the OCR data breach reporting database, unauthorized patient medical record access was the leading cause of security incidents in the first half of 2016.
Of 114 security incidents reported to the federal agency between January 1 and June 1 of last year, 47 were classified as being related to unauthorized access or disclosure of patient information.
The largest healthcare data breach during that time period was the result of an instance of unauthorized access by a third party at 21 Century Oncology, potentially impacting 2,213,597 patients.
Behind unauthorized patient data access, hacking and health IT incidents were the second most common causes of healthcare data breaches in the first six months of 2016, followed by theft, loss, and improper disposal of information.