The data breach, which involved patients’ names, addresses, Social Security numbers, and other personal details, was perpetrated by an emergency room employee and three other people, according to a report in the Sun Sentinel newspaper.
The employee, Natashi Orr, worked at the hospital from April 2009 until September 2010. She was fired after a three-month investigation by federal agents uncovered the data breach. The investigators were unable to determine how many patients, beyond the 1500, had their information compromised.
As a precaution, Holy Cross notified all 44 000 patients who visited the emergency room during that period so they can take steps to make sure their identities were not misused, said hospital chief executive Patrick Taylor. The hospital is providing free credit monitoring services to these patients.
“While it may be impossible to absolutely prevent an employee from violating our values and policies for personal gain, we are determined to take all necessary steps to review and strengthen our administrative procedures to ensure that we are providing the highest level of data security possible,” said Taylor.
According to Taylor, the hospital has already made a procedural change that limits the amount of key personal data included in the type of documents involved in this incident. The hospital is also conducting a comprehensive review of its systems, policies and procedures to identify any other possible improvements, he added.
Orr allegedly was paid for the patient information by Mildred Alexis who then sold it to Albert Anthony Andrulonis and Jimmy Lee Theodore. Andrulonis and Theodore then allegedly used the data to obtain credit cards and bank debit-card accounts to steal money, authorities said.
The newspaper noted that this is the second major data breach at a South Florida hospital. In 2007, an employee at the Cleveland Clinic in Weston was arrested for stealing the personal details of 1130 patients to use on fraudulent medical bills. The employee sold the information to a Naples medical firm that used the data to collect $8 million from false Medicare claims.