David Ibata reports on a breach that I covered on DataBreaches.net with a follow-up. In today’s developments, we learn that the breach also affected a healthcare entity:
Nine Emory Healthcare patients have become victims of identity theft in a case that could affect the records of as many as 7,000 people, Channel 2 Action News reported Monday.
The hospital bills of 32 patients at Emory’s orthopedic clinic were taken, and the Social Security numbers, dates of birth and other confidential information were used to file fraudulent tax returns in nine patients’ names, the hospital confirmed.
Investigators found evidence of document thefts in the home of Annette Ford, a former real estate broker from Suwanee who investigators said made about $2.5 million as a mid-level player in a massive identity fraud conspiracy.
[…]
No mention of Emory was made at the time.
Ford had no affiliation with the hospital but allegedly had an inside contact, a person formerly employed as a clerk.
The employee printed off the bills of more than 3,000 patients, Channel 2 reported. It did not disclose its sources for the information.
[…]
It was not clear Monday if the latest revelation of ID theft at Emory was connected to one reported by the AJC in February. Then, the hospital said the identifications of 77 orthopedic clinic patients had been stolen. Another 2,400 patients were notified that a theft had occurred.
Read more on AJC.
Kerry Kavanaugh also reports on the breach. With respect to the insider, Kavanaugh notes:
The hospital traced it all to one clerk. Sources close to the investigation tell Kavanaugh the same clerk printed off the bills of more than 3,000 patients.
“We don’t know that the employee was actually responsible for getting this information out there. As far as we know the information was not protected.”
Last month, Emory notified 7,300 patients about the breach with through a letter. It said an individual inappropriately printed billing information on patients. Emory fired the employee in July.
The letter also reminded patients to be vigilant when monitoring their credit and personal data.
Read more on WSBTV.com.
Did Emory tell those notified that the data had not only been printed out but in at least some cases, given to an outsider who misused it for tax refund fraud? Wouldn’t their caution to be vigilant be more likely to have an impact if recipients knew that others had already been victimized?
There’s a lot puzzling about Emory’s actions in this case. Was this related to the breach report in February or was this a separate incident? The February incident was originally reported as a hacking incident but maybe the hack was an assumption when the feds tipped off the hospital that patient data had been misused for tax refund fraud.
Hopefully, Emory will issue a full and complete disclosure that answers some questions.