Breach at UC Health hospital may affect data of 4,721 patients
Daniel Drake Center for Post-Acute Care, part of six-hospital UC Health in Cincinnati, is reporting than one of its employees accessed patient medical records over a two-year period without authorization.
The UC health privacy office learned of the breach in June. Now, Daniel Drake Center is notifying 4,721 patients about potential exposure of their information, and it’s offering a year of credit monitoring and identity theft protection services from Experian.
The center is not disclosing how the employee was able to access records for an extended period of time without being caught, nor did it say how it learned about the breach. Many healthcare organizations typically learn that a breach has occurred through notifications from law enforcement agencies that may be investigating one breach and finding that other organizations also have been affected.
Daniel Drake Center now is implementing software to regularly and proactively monitor access to electronic health records and also is conducting educational sessions with staff covering appropriate access to protected health information and patient confidentiality.
Both initiatives are commonly done following a breach, often at the suggestion of the HHS Office for Civil Rights, which enforces the breach notification rule.
UC Health declined to provide additional details about the incident.