University Hospitals Elyria Medical Center Data Breach (2015)

An Ohio hospital is working to notify nearly 300 patients after unauthorized PHI access took place, potentially compromising their personal information. Unauthorized PHI access puts patient information at risk A University Hospitals Elyria Medical Center employee allegedly accessed "certain patient data" in its EMR, hospital spokesperson Alicia Reale confirmed in an email sent to HealthITSecurity.com. Reale sent a UH Elyria Medical Center statement, dated July 9, 2015, which said that 297 patients had certain PHI accessed by an employee. This was outside of the individual's normal job functions, the statement explained. Potentially accessed information includes patient names, dates of birth, medical record numbers, dates of service, and diagnostic and treatment information. Addresses, telephone numbers and names of health insurers may have also been accessed for a few patients. However, Social Security numbers and financial information were not included. The hospital became aware of the incident on May 13, 2015, and the facility began to send out data breach notifications on July 2, 2015. An internal investigation was launched when the hospital learned that the unauthorized EMR access had occurred in the first place. "The employee's actions violated UH Elyria Medical Center policies and procedures and the employee has been terminated," the statement read. "Additionally, we have notified local and federal law enforcement of this incident."