Insiders Arrested In 2 ID Theft CasesUniversity of Florida Healthcare Facilities Affected
A former employee and a trainee at healthcare facilities affiliated with the University of Florida have been arrested in identity theft cases that put personal information about more than 15,000 patients at risk.
The recent breaches are part of a larger identity theft ring being investigated by state law enforcement, the U.S. Secret Service and the Internal Revenue Service, says a spokeswoman for the Florida State Attorney's office, fourth judicial circuit. Additional arrests are pending, she adds.
The two arrests tied to allegations of fraudulent use of personal identification information come on the heels of a number of other recent ID fraud cases involving employees at other hospitals in Florida and elsewhere (see: Arrests, Lawsuit in Hospital ID Thefts). "ID theft is a growing problem nationwide," says the state attorney's office spokeswoman.
The University of Florida last week sent letters to more than 15,000 patients to notify them that their personal information, including names, addresses, date of birth, medical record numbers and Social Security numbers might have been compromised in the two incidents.
The larger of the two cases involves about 14,300 patients who were treated between March 2009 and October 2012 at UF&Shands Family Medicine at Main in Gainesville, Fla.. On April 2, law enforcement officials arrested Arthur Corey Thomas, a former worker at the clinic, in conjunction with the incident, according to Jacksonville Sheriff's Office arrest documents.
In a statement, the university said it learned of the incident from state and federal law enforcement officials on Oct. 25, when an identity theft ring that targeted several hospitals and health clinics in the state of Florida was uncovered. Law enforcement prohibited the university from notifying patients until the criminal investigation was completed.
When Thomas was arrested at a traffic stop for speeding, his vehicle contained a duffle bag with a computer-generated appointment sheet showing approximately 1,600 personal identities, according to the Jacksonville sheriff's office. Authorities also found several debit cards with names other than the suspect's in the car.
The clinic is offering free fraud resolution services for one year to those who suspect or confirm identity theft.
In the second case, Daremia Crew, who was a participant in a job training program at the Shands Jacksonville Brentwood Primary Care Center, was arrested in January. In a statement last week about this incident, the university-affiliated facility said it notified more than 1,000 patients that their personal information could be at risk for ID fraud.
The Jacksonville Sheriff's Office reports that Crews allegedly used her cell phone camera to capture images of computer screens showing patient ID information. Those images were allegedly sent to another individual who is now cooperating with authorities. Law enforcement officials allege the patient information was stolen for the purpose of filing false tax returns, according to the provider's statement.
Crews is slated for arraignment on April 17, the state attorney's spokeswoman says.
The Shands Jacksonville Brentwood Primary Care Center is offering one year of free identity theft monitoring services to all patients who receive notification about the breach, according the university spokeswoman.
The University of Florida takes a number of steps to prevent information breaches at its healthcare facilities, the spokeswoman says. Those include "thorough background checks on prospective employees," she says. Thomas worked at the medical clinic for a number of years, and "nothing in this person's history indicated issues," she adds.
In addition, the university's health facilities have procedures in place to limit employee access to patient information based on their role, she says. Employees also receive HIPAA compliance training every year, which is then documented.
The university is conducting its own investigation of the incidents and evaluating its procedures to identify areas of improvement, the spokeswoman adds.
"This is very frustrating, because despite our efforts, there are some individuals with willful intent to do something wrong," she says. "We're being vigilant about this. ID theft is a pretty big problem in Florida, and elsewhere."
Besides limiting employee access to patient's Social Security numbers and other sensitive information, healthcare organizations can take other steps to prevent identity fraud involving insiders, IT security experts say. That includes deploying monitoring and breach detection tools (see: Preventing Insider Medical ID Theft).