Posted 02:02PM EST, April 15, 2008
Hospital employee charged in breach of 50,000 patient records
A hospital employee in New York has been arrested and charged with multiple counts of fraud and stolen property offenses after nearly 50,000 patient records were breached.
Categories:
HIPAA
A patient admissions employee at NewYork-Presbyterian Hospital/Weill Cornell Medical Center has been charged with the theft and sale of some 50,000 patient records, the New York Times reports. The report says that the information obtained was sensitive but did not have medical information in it.
The Atlanta Journal-Constitution reports that hospital spokeswoman Manners also told the Associated Press that no documented abuses had been noted, that the missing records could possibly be part of a "larger criminal enterprise." Manners also said affected patients are being contacted, a help hotline is being set up and the hospital is preparing to offer credit monitoring services to affected patients. The hospital is also reviewing its policies to prevent similar events.
The New York Bar Association's Health Law blog reports that if the employee is charged under HIPAA it would be only the third case of its kind:
Sources: The New York Times, The New York Daily News, The Atlanta Journal-Constitution, The New York Post, The New York Bar Association's Health Law Blog.
The stolen documents included patients’ names, phone numbers and Social Security numbers, but a hospital spokeswoman, Myrna Manners, said they probably did not contain medical information.The New York Daily News reported that signs of the breach were first uncovered by postal inspectors who found printouts of 221 patient records in Atlanta. Hospital officials suspended the employee in February after being contacted by Federal officials. Prosecutors say the employee revealed that in 2006 a man offered cash in exchange for patient records. The employee later sold 1,000 patient records for $750 in December 2007, and then a subsequent batch for $600 in early 2008. Officials determined the employee's login had been used to improperly access 49,841 patient records.
The Atlanta Journal-Constitution reports that hospital spokeswoman Manners also told the Associated Press that no documented abuses had been noted, that the missing records could possibly be part of a "larger criminal enterprise." Manners also said affected patients are being contacted, a help hotline is being set up and the hospital is preparing to offer credit monitoring services to affected patients. The hospital is also reviewing its policies to prevent similar events.
The New York Bar Association's Health Law blog reports that if the employee is charged under HIPAA it would be only the third case of its kind:
If McPherson is charged under HIPAA he would be only the third person I am aware of to face criminal charges. The first was Richard Gibson, a Seattle cancer center employee who in 2004 was sentenced to 16 months in prison for stealing one patients' protected health information. The other is Leslie Howell of Oklahoma City, a mental health counselor indicted in August 2007 for selling over one hundred patient files. If McPherson really did sell 50,000 patient files that would be the largest breach by far.
Sources: The New York Times, The New York Daily News, The Atlanta Journal-Constitution, The New York Post, The New York Bar Association's Health Law Blog.
