Yet another incident involving the theft of patient data in Florida by employees has been disclosed.
In a letter to those affected, the University of Miami Health System writes:
Based on information provided by law enforcement on July 18, 2012, the University of Miami Health System conducted an investigation that revealed that two University of Miami Hospital employees were inappropriately accessing patient information, specifically registration “face sheets,” and may have sold them. These two employees were terminated immediately. The University of Miami Health System delayed public notice at the request of law enforcement to avoid hindering the criminal investigation.
Face sheets contain basic identifying information, including name, address, date of birth, insurance policy numbers, and the reason for the visit. While social security numbers are masked to display only the last four digits, some health insurance plans, such as Medicare and Medicaid, continue to use social security numbers as insurance policy numbers, which are included on the face sheet.
In an abundance of caution, we are notifying patients who may have been seen at University of Miami Hospital between October 2010 and July 2012.
A corresponding FAQ on the incident explains:
Based on information provided by law enforcement, the University of Miami Health System conducted an investigation into the activity of two University of Miami Hospital employees. The investigation revealed that these two individuals were inappropriately accessing patient information from registration “face sheets” and may have sold the information to a third party. Once discovered, these two employees were terminated immediately.
We have no indication that medical records are at risk. At the University of Miami Health System we take the privacy and security of our patients’ information very seriously. We continue to review and refine our physical and electronic safeguards to enhance protection of patient data and remain committed to cooperating with law enforcement as they continue their investigation.
What Information Is Included On The Face Sheets?
Face sheets are patient registration related documents that contain basic identifying information, including name, address, date of birth and insurance policy numbers, as well as the reason and service area for the visit. While the social security number field was masked to display only the last four digits, some health insurance plans, such as Medicare and Medicaid, continue to use social security numbers as insurance policy numbers. Such information was included on the face sheets. Face sheets do not contain test results or other patient health care or financial information. We have no indication that medical records are at risk.
The incident was first reported in the media by the Miami Herald.
So once again a hospital does not discover insider wrong-doing and has to be told by outside sources.
I wonder if this operation is related to the patient data thefts at Florida Hospital and Memorial Healthcare System that were recently disclosed. There certainly has been a lot of patient data stolen in Florida and the number of disclosures within the past few months is curious, to say the least.
But what is HHS and/or the State of Florida going to do about all these breaches to require better security and access controls or auditing? Something needs to be done.
Update: The University of Miami subsequently informed HHS that they notified 64, 846 patients of this breach.