Share this article on:
Cincinnati’s UC Health has discovered a former employee of its Daniel Drake Center for Post-Acute Care had been accessing the medical records of its patients without authorization for almost two years.
The first recorded instance of inappropriate access occurred on July 29, 2015, with periodic access continuing until June 2, 2017. During that time, the medical records of 4,271 patients had been accessed without authorization or any legitimate work reason for doing so.
The types of information accessed by the individual included patients’ names, medical record numbers, birth dates, lab test results, diagnoses, treatment information and other clinical data. However, financial information and Social Security numbers were stored separately and were not accessed.
Due to the range of data that was accessed, patients have been offered credit monitoring and identity theft protection services through Experian for a period of one year without charge. Patients affected by the privacy breach were notified by mail on August 1.
UC Health reports that the employee was terminated as soon as it was confirmed that medical records had been inappropriately viewed. Action has also been taken to prevent future insider breaches from occurring, including the implementation of additional access controls and the provision of further training to staff members on hospital policies covering medical record access and patient confidentiality.
UC Health will also now be monitoring employee ePHI access more proactively to ensure any future privacy breaches are identified quickly.
As the Protenus Mid-Year Breach Barometer report shows, insiders cause more healthcare data breaches than cyberattacks by hackers. In the first six months of 2017, 41% of healthcare breaches were caused by insiders, resulting in the privacy of 1.17 million patients being violated.
Detecting insider breaches promptly can greatly reduce the number of patients whose privacy is violated and the harm caused to those individuals.
Software solutions capable of detecting improper access can be expensive to implement, although they are an effective deterrent that can prevent many breaches. Detecting privacy violations promptly also reduces the cost of breach mitigation.
Healthcare organizations are required by HIPAA to regularly monitor ePHI access logs for improper access. While HIPAA does not state how often checks should be completed, healthcare organizations should consider conducting a bi-annual review to check for inappropriate access and should not wait for a privacy incident to occur to update their policies.