Advanced Data Processing, a subsidiary of Intermedix Corp. that does business as ADPI, handles billing for a number of ambulance services throughout the U.S.
The Florida-headquartered firm notified the California Attorney General’s Office this week that on October 1, they discovered a rogue employee had been accessing and disclosing patient information to others who used the information to file fraudulent tax returns to obtain refunds. According to their notification letter and a statement sent to PHIprivacy.net by spokesperson Lisa MacKenzie, the breach occurred on June 15, when the employee first improperly accessed patient data.
According to their statement to this site, ADPI was alerted to the breach by authorities, who informed them that an employee might be improperly accessing and improperly releasing confidential personal information. MacKenzie tells PHIprivacy.net, “The employee was suspected of being connected to a tax fraud scheme that has far reaching implications beyond the improper access at ADPI.”
While ADPI would not disclose how many patients were affected, how many more might possibly have had their data accessed, nor how many of their clients were affected, MacKenzie informs this blog that 17 states have been notified of this breach including Arizona, California, Florida, Georgia, Kansas,Kentucky, Massachusetts, Maryland, Missouri, North Carolina, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, Tennessee and Texas. HHS was notified of the breach yesterday.
The employee has been apprehended, but has not been publicly named yet, and it’s not known to this blogger whether the employee has been charged criminally at this time.
Although no medical information was accessed, patient information included names, dates of birth, Social Security numbers and record identifiers.
Free credit monitoring services were offered only to those patients whom ADPI could confirm had their details accessed by this employee. Other patients whose data may have been accessed were notified and advised to be vigilant.
The Los Angeles Fire Department was one of the clients affected, as the Los Angeles Times reports.
(This post originally appeared on PHIprivacy.net)
Update: According to a second article in the L.A. Times, the employee has not been charged at this time. I also learned that this incident is part of the vast ID theft/fraud ring investigated for the past two years and referred to as “Operation Rainmaker” by law enforcement officials.
Note: Most, if not all, updates on this incident will be posted to PHIprivacy.net.
And one day later… we hear of a Tampa hospital maintenance worker who is able to obtain two pages of patient names & Social Security numbers, and successfully net $550,000 in fraudulent tax refunds.
This is a HUGE problem in Florida. And I’ve been mulling over what we know already and what might need to be done. Right now, they’re using patient data for tax refund fraud, which is bad enough. What if they also start selling patient info cheap to those who have no health insurance? The consequences could be horrific.
I worked for ADPI/Intermedix in Miami and I can tell you that any employee can access patient data, because there is so much work and employees are handling different counties/cities throughout the US , monitoring by manager is not done. Any employee can write down any patient info i.e. date of birth, social security numbers,and in some case credit card information and no one will know. Even had a employee who ordered breakfast with an patient credit card.
“Do The Right Thing ” is their motto, but if you Do The Right Thing and tell Human Resources what you know or suspectr YOU WILL BE FIRED!!!!!!!