Stolen ER patient data prompts hospital to offer free credit monitoring

Five people in an identity-theft ring were charged Wednesday with stealing ER patient identities at Holy Cross Hospital and an Aventura doctor's office, the Orlando Sentinel reports. The ring used information stolen from the Fort Lauderdale, Fla.-based hospital to sign up for fraudulent debit, credit and bank accounts.

Hospital officials believe up to 1,500 patient data sheets were compromised between April 2009 and September 2010. Because it is impossible to determine which patients might have been affected, the hospital is notifying each patient that went to the ER while the employee worked there, the Sun Sentinel reports. The compromised information includes names, addresses, dates of birth, Social Security numbers and brief initial diagnosis descriptions from ER visits, according to the hospital.

Kudos go to the hospital for going public quickly on this news. The same day the people in the identity theft ring were charged, the hospital started sending the first of 44,000 notification letters out and posted a press release on its website about the "possible data breach."

Many hospitals that experience data breaches seem to follow the "least-said, soonest mended," rule and fail to push information out to the public when their communities know something is up. Perhaps it helped that the hospital enlisted the aid of PR firm Burson-Marsteller to help with crisis communication.

In another move that shows Holy Cross values its customer relationships, it is offering affected patients one year of free credit monitoring services from Experian to help them protect against the possibility of identity theft. The hospital also created a telephone hotline to field patient inquiries.

According to Dr. Patrick Taylor, president and CEO of the hospital, Holy Cross already has made a procedural change to limit the amount of important personal data on patient data sheets. It is also reviewing its systems, policies and procedures to identify other areas where data security could be beefed up.

Federal prosecutors allege that Mildred Alexis of Miramar recruited Natashi Orr, a former hospital employee, and paid her to steal ER patient data. The data was sold to two other fraudsters who used the information to open debit, credit and bank accounts, according to the Sun Sentinel. Four of the five people involved in the plot have been arrested, so far.

An investigation revealed that the hospital's computer systems and network security were not affected, according to a hospital press release. The breach came to light when postal inspectors came across the 38 paper patient data sheets in a criminal investigation.

"This was a low-tech crime involving paper data sheets," Tom Olson, a flack with Burson-Marsteller, which is doing PR for the hospital, told FierceHealthcare. "She was carrying paper out, not breaking network security."

All five people involved in the plot have been hit with mail, wire and bank fraud charges, which carry penalties of up to 20 years in jail per count, with up to 10 more years for each count for disclosing individual health information, the Sun Sentinel reports.

To learn more:
- read Holy Cross Hospital's press release
- here's the Sun Sentinel story
- read the Orlando Sentinel story

Related Articles:
10 egregious patient privacy breaches
Organized crime getting deeper into medical identity theft
Stolen Hopkins patient info used in $600K credit card fraud
Patient records found at dump
Confidentiality breach: Hospital sent patient records to auto shop