UC Health alerting patients about leaked medical records

The Cincinnati-area hospital network UC Health is alerting just over 1,000 patients that their medical records were part of a data security lapse and to monitor their credit accounts.

Emails containing patient names, birth dates, medical record numbers and other personal information were inadvertently sent to the wrong email address in nine separate incidents dating back to Aug. 2014, UC Health announced Saturday.

The UC Health group includes University of Cincinnati Medical Center, West Chester Hospital, and UC Physicians, a group of nearly 800 doctors, as well as other sites.

The university-affiliated health system learned in September this year the emails intended to be sent internally within the organization were mistakenly sent to an incorrect email address at a similar domain, according to UC.

In another example so far this year, Community Mercy Health Partners, which is a division of Cincinnati-based system Mercy Health that operates hospitals in Springfield and Urbana, mistakenly sent invoices containing private health information to the wrong recipients, affecting about 2,000 patients.

“In general that’s kind of the issue facing health care right now is less mature defenses and higher value information,” said John DiMaggio, chief executive officer for BlueOrange Consulting, a Columbus-area firm providing services for medical data security.

Unlike a credit card that can be turned off when suspicious purchases are charged to an account, a compromise of medical information containing important Social Security and other numbers might be used to make fraudulent insurance claims or to apply for loans. To catch the latter, a person would want to monitor their credit reports as well as financial statements and the bad activity might not be caught as quickly, DiMaggio said.

Letters have been sent to involved UC Health patients. The network is not aware of any attempt to misuse the information, but UC Health officials are advising those whose information is at risk to monitor their statements.

Also, a special call center has been set up to assist notified patients. For more information, contact 1-855-907-3146 from 8 a.m. to 8 p.m. Mondays through Fridays.

UC Health did not respond to requests for comment by deadline Monday about the incident.

However, on Tuesday, network spokeswoman Diana Lara said, “UC Health takes very seriously our role of safeguarding the personal information of our patients and using it in an appropriate manner. We were proactive. When we found out is when we began our investigation.”

Health providers are required to comply with federal law on patient privacy, and must report to the U.S. Department of Health and Human Services breaches of unsecured protected health information when it affects 500 or more individuals. A list of breaches posted online shows there have been about 226 incidents nationwide so far this year at hospitals, doctor practices and other providers, compared to 284 all of last year, according to the website.

Just in Ohio, about eight medical providers statewide have reported data security issues to date in 2015 not including the most recent discovery at UC Health. Ohioans’ protected patient information has been compromised due to a missing hard drive, invoices sent to the wrong person, and mistakenly trashed binders as well as a potential information technology hack and other reasons. Last year, Ohio health providers reported 10 breaches to the federal government, according to the health department’s website.

“There’s been an incentive for hospitals to move towards electronic systems and most are,” said Andrea Perry, chief privacy officer for Ohio Health Information Partnership, a nonprofit that contracts with hospitals and doctors to help transmit electronic medical records between providers. The health information exchange is live at 101 hospitals across Ohio including Middletown hospital Atrium Medical Center and Dayton Children’s Hospital, according to the group. However, UC Health is part of a different exchange with The Health Collaborative.

“There’s a lot of benefits to having medical information electronically available. The big thing is a physician having the information they need when they need it,” Perry said. “There are very stringent standards that are required by (law) that all physician practices and hospitals have to meet.”

Thank you for reading the Dayton Daily News and for supporting local journalism. Subscribers: log in for access to your daily ePaper and premium newsletters.

Thank you for supporting in-depth local journalism with your subscription to the Dayton Daily News. Get more news when you want it with email newsletters just for subscribers. Sign up here.