An acute care center has begun notifying patients of a security incident that might have compromised their medical records.
In the late spring of 2017, UC Health first learned about a security event affecting the Daniel Drake Center for Post-Acute Care (DDC), one of its health system members.
Between 29 July 2015 and 2 June 2017, an employee at DDC accessed patients’ medical records without authorization and viewed people’s sensitive information including their names, addresses, dates of birth, lab results, and medical record numbers. It’s not believed the rogue employee accessed patients’ Social Security Numbers.
It’s unclear how the worker evaded discovery for two years, just as it’s unknown how DDC eventually discovered the unauthorized activity. When it did, it terminated the employee and began crafting a response for affected individuals. UC Health confirms these recovery efforts in a press release:
“DDC began mailing letters to 4,721 affected patients on August 1, 2017 and has established a dedicated call center to address individual patients’ questions. DDC is offering affected patients one year of credit monitoring and identity theft protection services through Experian.”
Electronic health records (EHR) might streamline the process of sharing medical records across different health care settings. But it also creates risk that’s capable of producing a digital security incident. It’s therefore not surprising that unauthorized access to medical records was the leading cause of events reported to the Department of Health and Human Services (HHS) Office for Civil Rights between 1 January and 1 June 2016. Of 114 reported security incidents, unauthorized EHR access or disclosure was to blame for 47 of them including the breach of 2.2 million patients’ data at 21 Century Oncology patients.
In an effort to prevent similar abuses of its patients’ EHR in the future, the DDC has taken steps to strengthen the security of its information technology systems. It’s now using additional controls to monitor employees’ access of patients’ medical records and thereby help deter insider threats. It’s also agreed to conduct training with its employees about how they are expected to respect patient confidentiality.
To strengthen your organization’s ability to monitor EHR and/or other critical information, click here.