Major HIPAA Breach in Las Vegas Hospital Investigated by FBI
Posted Jan 28 2010 12:00am
There have always been rumors circulating in the hospitals where I have worked that unnamed clinical personnel were on the payroll of the medical malpractice lawyers in town. They would phone the firm whenever they learned that various types of trauma patient have been admitted to the hospital or when some medical error had occurred or been detected. Attorneys from the firm would then visit the patient and drop a business card. Obviously a very serious breach of hospital and patient confidentiality, if these rumors were true. Better documented, however, is the fact that most breaches of patient confidentiality that occur in hospitals are inside jobs.The are committed by hospital employees who have ready access to patients' physical or electronic medical records, at least in the units where they work. I recently came across an a article about a serious HIPAA breach at University Medical Center, Las Vegas, where an investigation by the FBI is now underway. Below is an excerpt from it (see: UMC admits to prolonged patient privacy leak):
University Medical Center officials said Monday that personal information of traffic accident victims was likely leaked from its trauma center for more than three months, and stopped only after the Las Vegas Sun told the hospital about the breach. The hospital’s statement was the first acknowledgment that the leak of patient data was more widespread than it had previously said, and closer in time to what the Sun had reported.The breach had apparently been going on for months....The FBI is investigating because such leaks of patient data would violate the Health Insurance Portability and Accountability Act, better known as HIPAA, a federal law that guards patient privacy in health care facilities. UMC waited almost a month to notify patients about the leak of their personal information, and that of people who accompanied patients to the trauma center. UMC is offering the victims free credit monitoring services for a year, although there have not been any reports that the data have been misused....A source in the medical community had provided the newspaper with the documents. The source is several degrees removed from the leak at UMC and did not know exactly where the documents came from....Congress recently increased the penalties for HIPAA violations. A person who violates a patient’s privacy with the intent to sell information can be fined up to $250,000 and imprisoned for up to 10 years.The FBI launched an investigation into the leaks after the Sun told hospital officials Nov.19 that it had come in possession of “face sheets,” the cover sheets that contain personal information about each case, such as Social Security numbers, birth dates and accident details and injuries sustained....
A few aspects of this case strike me as being quite odd. The first is that the hospital personnel waited a month to notify the patients about the security breach. I am sure that their excuse is that they were investigating the incident but this strikes me as too long a wait. The second is that the newspaper information source is described as being "several degrees removed from the leak at UMC and did not know exactly where the documents came from." My guess, on the basis of this hint, is that it may be disgruntled employee of a local law firm who was poking around in some locked files. The third point is that the hospital is offering the "victims" free credit monitoring services for a year. This strikes me as a slightly disingenuous move on the part of the hospital executives. Certainly credit card fraud is on the mind of many consumers and patients these days. However, there are many easier ways for criminals to get their hands on social security numbers than pilfering face sheets of medical records. My sense is that whoever was behind this crime had a more lucrative goal in mind than buying video game at the local Wal-Mart through identity theft. Make note of the fact that the hospital information leaks occurred in the hospital trauma center.