HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

4,271 UC Health Patients Notified of Insider Data Breach

Cincinnati’s UC Health has discovered a former employee of its Daniel Drake Center for Post-Acute Care had been accessing the medical records of its patients without authorization for almost two years.

The first recorded instance of inappropriate access occurred on July 29, 2015, with periodic access continuing until June 2, 2017. During that time, the medical records of 4,271 patients had been accessed without authorization or any legitimate work reason for doing so.

The types of information accessed by the individual included patients’ names, medical record numbers, birth dates, lab test results, diagnoses, treatment information and other clinical data. However, financial information and Social Security numbers were stored separately and were not accessed.

Due to the range of data that was accessed, patients have been offered credit monitoring and identity theft protection services through Experian for a period of one year without charge. Patients affected by the privacy breach were notified by mail on August 1.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

UC Health reports that the employee was terminated as soon as it was confirmed that medical records had been inappropriately viewed. Action has also been taken to prevent future insider breaches from occurring, including the implementation of additional access controls and the provision of further training to staff members on hospital policies covering medical record access and patient confidentiality.

UC Health will also now be monitoring employee ePHI access more proactively to ensure any future privacy breaches are identified quickly.

As the Protenus Mid-Year Breach Barometer report shows, insiders cause more healthcare data breaches than cyberattacks by hackers. In the first six months of 2017, 41% of healthcare breaches were caused by insiders, resulting in the privacy of 1.17 million patients being violated.

Detecting insider breaches promptly can greatly reduce the number of patients whose privacy is violated and the harm caused to those individuals.

Software solutions capable of detecting improper access can be expensive to implement, although they are an effective deterrent that can prevent many breaches. Detecting privacy violations promptly also reduces the cost of breach mitigation.

Healthcare organizations are required by HIPAA to regularly monitor ePHI access logs for improper access. While HIPAA does not state how often checks should be completed, healthcare organizations should consider conducting a bi-annual review to check for inappropriate access and should not wait for a privacy incident to occur to update their policies.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.