HENDERSON — A data breach at a third-party medical records vendor exposed the personal and health information of patients at two Deaconess Health System hospitals in Western Kentucky, the Evansville-based health system disclosed nearly two months after the breach itself occurred.
The breach did not affect Deaconess’s internal computer systems or its electronic medical records platform, a company official stated in a news release. Instead, the exposure affected MRO Corp., the Pennsylvania-based health care data firm Deaconess contracts to handle patients’ release of information requests.
The requests, often referred to by the abbreviation “ROIs,” allow health care providers to share sensitive patient information with third parties with a patient’s authorization…