Hospital Notifies 40,000 of ER Breach

Records on 1,500 Patients Were Stolen in Fraud Effort
Hospital Notifies 40,000 of ER Breach
A Florida hospital is notifying approximately 40,000 of its emergency room patients about a health information breach involving stolen paper records that it believes might have affected about 1,500 of those patients.

Holy Cross Hospital in Ft. Lauderdale says a criminal investigation recently determined that a former employee stole patient data sheets and allegedly sold the information to a third party to commit fraud. Information on as many as 1,500 emergency room patients may have been taken from April 2009 through September 2010.

Because the hospital has been unable to determine the identities of all of those possibly affected, it's notifying all patients treated in the ER during that period and offering them free credit monitoring services.

The data sheets included patients' names, addresses, dates of birth, Social Security numbers and initial diagnosis. "This was not a compromise of the computer systems that the hospital uses to protect patient information," the hospital said. "Holy Cross identified the individual involved, who admitted improper conduct and was immediately terminated."

Arrests in Fraud Case

Four of five people charged in connection with the case, including the ER worker, have been arrested, according to the U.S. Attorney's Office, Southern District of Florida. Information stolen from the hospital was used to open bank accounts and to obtain credit and debit cards in the patients' names, effectively stealing their identities, according to the office. Participants in the alleged identity theft ring face charges of conspiracy, mail fraud, wire fraud, bank fraud and wrongful disclosure of individually identifiable health information.

In the wake of the incident, the hospital has made a procedural change that limits the amount of key personal data included in the type of documents involved, says Patrick Taylor, the hospital's CEO. The hospital is also conducting a comprehensive review of its systems, policies and procedures to identify any other possible improvements, he adds.

The incident has not yet been added to the list of major health information breaches compiled by the Department of Health and Human Services' Office of Civil Rights. Under the HITECH Act breach notification rule, breaches affecting 500 or more individuals must be reported to OCR, the media and those affected within 60 days of discovery.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.