Aventura Hospital notifies 82,601 patients of possible data theft; third theft incident in 2 years

A breach entry added to HHS’s public breach tool last week reveals that 82,601 Aventura Hospital and Medical Center patients may have had their identity information stolen by an employee of their business associate, Valesco Ventures. 

At the time of this publication, there is no statement or notification on Aventura’s web site. PHIprivacy.net was, however, able to find a Legal Notice published in various media on September 9, 2014:

LEGAL NOTICES STATEMENT

Valesco Ventures, which provides hospital physician staffing and related services to patients in hospitals, was recently made aware of a situation involving the possible theft of personal patient information from Aventura Hospital and Medical Center. We are committed to the security of patient information, and we apologize for this incident.

On May 28, 2014, Valesco Ventures was notified that an employee may have improperly accessed the personal identifying information of a number of patients of Aventura Hospital and law enforcement was contacted. On June, 10, 2014, law enforcement concluded that this employee had improperly accessed this patient information.

This information included patient names, dates of birth, and social security numbers. No personal financial or health information was improperly accessed.

Shortly after law enforcement was notified, Valesco Ventures and Aventura Hospital suspended the individual’s computer and physical access to patient data, and began assessing how to mitigate risks to all patients. Valesco Ventures and Aventura Hospital continue to work with law enforcement to preserve the information that is important to their investigation. We have since determined that the inappropriate access occurred starting on September 13, 2012 and continued through June 9, 2014.

Valesco Ventures and Aventura Hospital are assisting law enforcement to identify and prosecute all responsible parties. Valesco Ventures and Aventura Hospital and Medical Center are committed to the proper handling and protection of patient information, and have been working to review our processes and systems to further ensure that personal information is protected in a secure manner.

If you were a patient at Aventura Hospital and Medical Center and your information has been identified as inappropriately accessed, you have or will receive a letter from Valesco Ventures to explain how best to protect your personal information. If you have questions or concerns about the letter you received or would like assistance to determine whether your personal information may have been compromised, please contact our representative at 1-866-979-2595.

Valesco Ventures is a joint venture between EmCare and Aventura’s parent company, Hospitals Corporation of America (HCA)..

Third Data Theft Incident in Two Years

This incident appears to be the third patient data theft reported by Aventura to HHS in the past two years.

In January 2013, PHIprivacy.net noted that HHS had received a report from Miami Beach Healthcare Group LTD dba Aventura Hospital and Medical Center that 2,560 patients had PHI stolen from their electronic medical records between January 1, 2012 and September 12, 2012. Aventura only became aware of the problem when they were contacted by law enforcement, as a subsequent statement indicates:

On September 7, 2012 law enforcement notified Aventura Hospital, stating that documents containing patient information had been stolen from the facility. Law enforcement believes these records were stolen for the possible purpose of identity theft.

Aventura Hospital and Medical Center is committed to the proper handling and protection of patient information, and we are working closely with law enforcement to investigate and identify the individuals responsible for the theft. We have contacted those affected and we are taking steps to mitigate risk to affected patients such as providing free credit monitoring for one year. In addition, we are initiating new guidelines to further ensure the protection of patient information in the future.

If you have questions or concerns, please call 1-888-594-8651.

Significantly, perhaps, their newest breach report covers the period beginning the very next day after the earlier breach reportedly ended, raising questions as to whether this really is a new incident or if, perhaps, there had been more than one person involved  in the data theft they uncovered in 2012.

In any event, it seems clear that data theft by a Valesco employee continued for 21 months before either Valesco or Aventura learned of the problem. Also noteworthy, the legal notice concerning the newer breach does not indicate exactly how Valesco was made aware of their rogue employee’s data theft.  Were they notified by law enforcement? Unlike many breach disclosures, Aventura’s two notifications omit any of the  “We have no evidence of any misuse” statements we often see in such cases, and it is not clear whether there have been any cases of fraud resulting from either of these two incidents.

In a third incident previously unknown to this site, Aventura notified HHS that 948 patients’ information was stolen on October 1, 2012. HHS’s log entry for the report code it as “theft, desktop computer,” but given HHS’s confusing coding, it is not clear to us whether this means that a desktop computer with patient information was stolen or if it means that patient information was stolen from the desktop computer. [CORRECTION/UPDATE: that theft occurred between October 1, 2012 and December 31, 2012, so this incident is likely theft of data from the computer and not theft of the computer itself, although it would be nice to get confirmation of that.] It is also not clear when Aventura reported that October 2012 theft to HHS, as HHS only added the incident to its breach tool on September 12, 2014 – the same day it added the larger incident involving 82,601 patients.  It is possible, of course, that Aventura had reported this third incident in a timely fashion and HHS just got around to entering it.

PHIprivacy.net could find no statement from Aventura still available online that disclosed the October 2012 breach or indicated when Aventura notified patients.

PHIprivacy.net emailed HCA on September 12 and again on September 14 to inquire as to whether the breach incidents reported to HHS were connected to each other. They did not respond other than to reply on Sunday to say that PHIprivacy.net would have to contact Aventura’s marketing department, who were not immediately available by phone when PHIprivacy.net called yesterday. Despite leaving a detailed message and publication deadline, Aventura did not return the call by deadline.  If they do respond, this post will be updated.

Hopefully, HHS/OCR will investigate these incidents thoroughly, including Aventura’s contract with Valesco and whether they monitored Valesco’s compliance with any security requirements such as criminal background checks on employees. Regardless of whether these were three separate incidents of patient data theft between January 1, 2012 and June 9, 2014 or one long-running conspiracy to steal patient data,  it appears that over 85,000 of Aventura’s patients have been put at risk of identity theft for tax refund fraud, and many more may be at risk if Aventura has not adequately addressed the insider threat from its own employees and its contractors’ employees.

[post-publication correction of one date]

Update of Sept. 16:  Christina Vazquez of Local10 in Florida reported on the breach today. She seems to be the first reporter in Florida to pick up/catch the story, even though I had tweeted to SunSentinel, TBO, and Miami Herald yesterday. Good for her, and I look forward to what else she finds out.

Update 2: Former employee Felicidy Butler was charged (and pleaded guilty to) data theft that occurred in 2012. Local10 has that report. Based solely on the dates, this would seem coincide with the first breach reported by Aventura that ended in September 2012, but confirmation of that is needed from Aventura.