Daniel Drake Center for Post-Acute Care, part of six-hospital UC Health Hospital in the region of Cincinnati, is reporting that one of its workers accessed patient medical records as a data breach over a 2-year period without the process of authorization.
In June, the UC health Hospital privacy office learned of the data breach. Now, Daniel Drake Center is notifying 4,721 sufferers about potential exposure of their data, and it is offering a year of credit monitoring and identity theft protection services from Experian.
The center isn’t revealing how the worker was capable to access records for an extended period of time without being caught, nor did it say how it learned about the data breach. Many healthcare agencies typically learn that a breach has occurred through notifications from law enforcement agencies that may be investigating one breach and finding that other organizations also have been affected.
Daniel Drake Center now is executing software to regularly and proactively monitor access to electronic health records (EHRs) and also is conducting educational sessions with staff covering suitable access to protected health information and patient confidentiality.
Both initiatives are usually done following a breach, often at the suggestion of the HHS Office for Civil Rights, which enforces the breach notification rule.
UC Health refused to give additional details about the incident.