Arrests, Lawsuit in Hospital ID TheftsFraud Incidents Point to Need for Preventive Measures
Two more cases of identity theft at hospitals shine a light on how patient information can be stolen to commit fraud. But security experts say healthcare organizations can take steps, such as deploying monitoring tools, to help prevent these kinds of breaches.
See Also: HIPAA Audits: A Revised Game Plan
The ID theft cases at Boca Raton Regional Hospital in Florida and North Shore University Hospital in New York both involved hospital staffers who allegedly stole patient information, including Social Security numbers, to open fraudulent credit accounts. The Florida incident, which occurred from January to June 2012, also involved stolen patient IDs used to file fake tax returns.
In the Boca Raton case, two individuals, including a former hospital scheduler, were indicted Jan. 24 on a number of charges, including access device fraud and identity fraud.
A Boca Raton Regional Hospital spokesman would not comment on the case other than to say the organization is cooperating with authorities investigating the incident.
Class Action Lawsuit
Meanwhile, in a class action lawsuit filed this week in New York, 12 plaintiffs who were patients of North Shore University Hospital claim the hospital was negligent, breached fiduciary duty and violated several laws, including HIPAA, when a former hospital worker stole patient record face sheets - the top sheets on patients' paper files - and subsequently used personal information to allegedly open fake credit card and cell phone accounts. The incidents occurred in 2010.
The plaintiffs are suing for $50 million in punitive damages and an unspecified amount for actual damages, according to news reports.
North Shore-LIJ Health System, which owns North Shore University Hospital, says more than 100 patients were affected by the 2010 ID theft incident.
The health system sent letters to about 200 patients in late 2011 and early 2012 notifying them that their personal information may have been compromised and offering free credit monitoring for a year, says Terrance Lynam, a spokesman for North Shore-LIJ. So far, about half of those patients have reported fraudulent credit card activity, he adds.
Law enforcement authorities are still investigating the case, which is believed to be part of a widespread identity theft ring that victimized about 1,000 individuals throughout the Northeast, says Lynam, who declines to comment on the lawsuit.
"The hospital has been cooperating fully with all law enforcement agencies involved in this matter," he says. "It is our understanding that there have been multiple arrests and two convictions stemming from the investigation."
The hospital has taken steps to strengthen the security protocols in place to protect patient information, Lynam notes. "In the past 11 months, no further identify thefts have been reported to the hospital, indicating that the safeguards the hospital now has in place are working."
Among the new safeguards, Lynam says, is the removal of Social Security numbers from patient face sheets. He declined to discuss the other security measures implemented by the health system.
Besides limiting employee access to patient's Social Security numbers and other sensitive information, healthcare organizations can take other steps to prevent identity fraud involving insiders, says Brian Evans, principal at IT consulting firm Brian Evans Consulting. That includes deploying monitoring and breach detection tools, as well as ramping up employee training.
"The organization's awareness and training program clearly needs to educate the workforce on policy and proper conduct with potential consequences for infractions," he says.
Also, healthcare organizations can employ breach detection applications that can flag data access anomalies, he suggests.
"As a result, written policies and procedures are enforced with a technical solution and unauthorized access is detected and addressed accordingly," he says. "More importantly, the organization's culture is changed because consistent and ongoing auditing and monitoring is established, which acts as a deterrent with disciplinary action as the outcome for those employees found in violation of policy."
Preventing Insider Breaches
Of course, unauthorized access to patient information by insiders doesn't always result in fraudulent activities as in the recent Florida and New York cases. Nonetheless, those breaches - including record snooping cases - are clearly intrusions of patient privacy.
"Unauthorized access has been a common problem in every healthcare organization I've worked in since the 1990s," Evans says. "Without proper auditing and monitoring in place, it's difficult to quantify the scope of unauthorized access where employees take advantage of the privileges they have for non-work related purposes like snooping."
More than 535 major breaches have been reported to the Department of Health and Human Services since September 2009 (see: Breach List: Business Associate Update). Unauthorized access to data is the cause of roughly 18 percent of those major breaches, Evans says.
Other Fraud Cases
Several other ID theft cases have been in the news in recent months.
A former Florida Hospital Celebration emergency department registration clerk was sentenced for 12 months and one day for selling patient information he improperly accessed in a breach of 760,000 patient records. Two co-conspirators in that case - including another former Florida Hospital worker - have pleaded guilty to various charges and are awaiting sentencing in March (see: Prison Time for Health Data Theft).
Other recent fraud cases involving insiders at healthcare organizations in Texas and Louisiana offer more proof that institutions need to be vigilant in preventing these kinds of incidents (see: Preventing Insider Medical ID Theft).