Following revelations yesterday by the FBI and U.S. Attorney’s Office of a massive Medicare fraud scam that utilized patient data stolen, in part, from Orange Regional Medical Center in New York, I asked the center whether they had known about the breach when it occurred in 2005 and whether and when patients were notified of the breach. In response, the center sent me this e-mail statement:
Orange Regional Medical Center was very concerned to learn from news reports that we were among several NY healthcare facilities from which patient identities had been allegedly obtained in 2005 by an organized crime ring, for the purposes of committing Medicare fraud. We were not aware of this Medicare fraud scheme until learning of it from news outlets; and we consider ourselves among the victims of this conspiracy. Orange Regional regards the protection of patient information to be among our highest priorities and we take any purported breach of patient information very seriously.
We have reached out to the FBI, Department of Justice and Office of the Inspector General and asked that they share with us any information relating to this incident and, specifically, whether this breach occurred within Orange Regional or outside at a site unrelated to Orange Regional. Presently, we are awaiting information.
In light of a statement in the indictment linking stolen patient data directly to a breach at ORMC in 2005, it sounds like the center had no idea that there had been a breach and still does not really know about it.
This is not the first time we’ve seen law enforcement withhold information about breaches from breached entities, but now that they’ve indicted people, it would be helpful if they informed the breached entities what they know about how the breaches occurred and which patients’ data were stolen so that the hospitals can contact their patients to make proper notification and offer apologies and support, as appropriate.