Hospital Notifies 40,000 of ER BreachRecords on 1,500 Patients Were Stolen in Fraud Effort
Holy Cross Hospital in Ft. Lauderdale says a criminal investigation recently determined that a former employee stole patient data sheets and allegedly sold the information to a third party to commit fraud. Information on as many as 1,500 emergency room patients may have been taken from April 2009 through September 2010.
Because the hospital has been unable to determine the identities of all of those possibly affected, it's notifying all patients treated in the ER during that period and offering them free credit monitoring services.
The data sheets included patients' names, addresses, dates of birth, Social Security numbers and initial diagnosis. "This was not a compromise of the computer systems that the hospital uses to protect patient information," the hospital said. "Holy Cross identified the individual involved, who admitted improper conduct and was immediately terminated."
Arrests in Fraud CaseFour of five people charged in connection with the case, including the ER worker, have been arrested, according to the U.S. Attorney's Office, Southern District of Florida. Information stolen from the hospital was used to open bank accounts and to obtain credit and debit cards in the patients' names, effectively stealing their identities, according to the office. Participants in the alleged identity theft ring face charges of conspiracy, mail fraud, wire fraud, bank fraud and wrongful disclosure of individually identifiable health information.
In the wake of the incident, the hospital has made a procedural change that limits the amount of key personal data included in the type of documents involved, says Patrick Taylor, the hospital's CEO. The hospital is also conducting a comprehensive review of its systems, policies and procedures to identify any other possible improvements, he adds.
The incident has not yet been added to the list of major health information breaches compiled by the Department of Health and Human Services' Office of Civil Rights. Under the HITECH Act breach notification rule, breaches affecting 500 or more individuals must be reported to OCR, the media and those affected within 60 days of discovery.