The data breach, which involved patients’ names, addresses, Social Security numbers, and other personal details, was perpetrated by an emergency room employee and three other people, according to a report in the Sun Sentinel newspaper.
The employee, Natashi Orr, worked at the hospital from April 2009 until September 2010. She was fired after a three-month investigation by federal agents uncovered the data breach. The investigators were unable to determine how many patients, beyond the 1500, had their information compromised.
As a precaution, Holy Cross notified all 44 000 patients who visited the emergency room during that period so they can take steps to make sure their identities were not misused, said hospital chief executive Patrick Taylor. The hospital is providing free credit monitoring services to these patients.
“While it may be impossible to absolutely prevent an employee from violating our values and policies for personal gain, we are determined to take all necessary steps to review and strengthen our administrative procedures to ensure that we are providing the highest level of data security possible,” said Taylor.
According to Taylor, the hospital has already made a procedural change that limits the amount of key personal data included in the type of documents involved in this incident. The hospital is also conducting a comprehensive review of its systems, policies and procedures to identify any other possible improvements, he added.
Orr allegedly was paid for the patient information by Mildred Alexis who then sold it to Albert Anthony Andrulonis and Jimmy Lee Theodore. Andrulonis and Theodore then allegedly used the data to obtain credit cards and bank debit-card accounts to steal money, authorities said.
The newspaper noted that this is the second major data breach at a South Florida hospital. In 2007, an employee at the Cleveland Clinic in Weston was arrested for stealing the personal details of 1130 patients to use on fraudulent medical bills. The employee sold the information to a Naples medical firm that used the data to collect $8 million from false Medicare claims.
16 November 2010
Interesting to note that the hospital claims it conducting a comprehensive review of its systems, policies and procedures to identify any other possible improvements, which surely should have already been put in place under requirements by HIPAA. This looks like a possible case of an employee with too many privileges, which are easily managed. http://bit.ly/a35hMS
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.