Shon Gables reports:
Authorities arrested an employee at UT [University of Texas] Southwestern Medical Center after she allegedly stole patent information and possibly their identities.
Hundreds of patients’ personal information – including birth dates, addresses, phone numbers and financial data – was stolen before Tracy Renay Thomas’ arrest and termination, police said.
Thomas is accused of stealing that information and then selling it to a third party.
“No,” Thomas said when asked if those allegations are true. “I need to call my lawyer.”
UT Southwestern recently sent out a mass mailing to 10,000 of its patients, claiming the former employee disclosed patients’ information to a third party that intended to use it for credit, loans and open bank accounts.
Read more on WFAA.
Interestingly, Gables reports that:
Representatives have admitted that when Thomas was hired to work in the financial services department, she did have a prior misdemeanor for theft on her record. She worked at the medical center for six months.
Yet a letter on UT Southwestern’s web site paints a somewhat different picture. The letter, which is not linked from the home page and I could find only by using the site search function to search for breach, says, in part:
UT Southwestern Medical Center recently learned that personally identifiable information about you may have been stolen from UT Southwestern. The protection of your health information is of utmost importance at UT Southwestern, and we regret the inconvenience and concern that this may cause you. We want to alert you to the incident, describe the type of information that may have been compromised, and explain what UT Southwestern is doing to ensure that the privacy of our patient information is maintained.
An individual with no known criminal history, formerly employed in the UT Southwestern University Hospitals Patient Financial Services Department, apparently misused her position of employment to access personal identifying information of patients who had made payments to the University Hospitals. She then gave the information to someone who intended to use the information to apply for credit cards, loans, and bank accounts.
The individual responsible is no longer employed by UT Southwestern, and the UT Southwestern Police Department is actively investigating the individual’s access to and use of the information obtained. Thus far, the investigation has revealed tangible evidence that this individual disclosed the personally identifiable information of 21 UT Southwestern patients in an unauthorized manner, and we have contacted each of these patients directly via telephone. We have additional evidence indicating that the personally identifiable information of up to 179 additional patients was disclosed; however we do not have sufficient evidence to verify the exact identities of those patients. Consequently, we are notifying all patients whose personal information might have been accessed and disclosed. It appears that the former employee had access to your name, address, date of birth, dates of service, and insurance information. She also had access to the manner in which you made payments on your account with UT Southwestern (i.e., check, credit card).
It is important to note that currently there is no evidence of patient information being used in an unauthorized manner from this incident.
So what happened? She had a known criminal history, but they didn’t know it?