Wednesday, Dec. 9, 2009 | 12:07 p.m.
- FBI to probe UMC leak of patient information (11-24-2009)
- At UMC, audits show privacy lapses are not new (11-24-2009)
- FBI looking at UMC records leak (11-21-2009)
- FBI, hospital in talks over leak of patient records (11-20-2009)
- Hospital privacy leak could harm patients (11-20-2009)
Related Documents (.pdf)
- Download the UMC HIPAA Compliance Review
- Download the audit brief for the UMC HIPAA Compliance Review
- Download the audit follow-up findings recommendations and corrective actions taken
- Download the follow-up letter to Virginia Valentine regarding findings from the 2008 UMC HIPAA Security Rule review
- Download the letter to Kathy Silver regarding the audit
The chief executive of Clark County’s only public hospital assured legislators Wednesday morning that she takes seriously the recent leak of private patient information — social security numbers, birth dates, names, addresses and medical information — that is now being investigated by the FBI.
Kathy Silver was called before the state’s Legislative Committee on Health Care as a result of Las Vegas Sun stories that exposed an allegedly systematic leak of patient information at the hospital.
Silver assured the committee that the hospital is committed to finding out how the leak happened. And when they find the employee “termination will be the least of their problems,” Silver said. “It’s a serious situation.”
The FBI has launched an investigation into the violations of the federal Health Insurance Portability and Accountability Act, better known as HIPAA — which includes penalties of up to $250,000 in fines and 10 years in jail.
The Sun had obtained 21 UMC patient “face sheets” — cover sheets that include an overview of each case — from a source who was concerned about the leak of information. The source told the Sun he was several degrees removed from the leak and did not know how the records were being released from the hospital, but that they were allegedly being sold for months, or even years, to ambulance-chasing attorneys so they could mine for clients.
The legislative committee meets throughout the year to prepare for the 2011 legislative session. The chairwoman of the committee, Sen. Valerie Wiener, D-Las Vegas, asked Silver what steps have been taken since the breach.
Silver learned of the breach Nov. 19 and said the two face sheets provided to UMC by the Sun showed they were copied early in the stay of each patient — probably on Day One, Silver said. That narrows the number of people who would have had access to the record, she said.
No one knows how many patients had their private information exposed, Silver said. The Sun’s face sheets are from Oct. 31 and Nov. 1, but it’s unknown whether the leak was an isolated incident, a systematic problem or some kind of attempt to embarrass the hospital, Silver said.
There were 71 patients on those two days, Silver said, which means that including family members or guarantors there could be 142 people with their information exposed. The victims will be contacted and provided a year of identity theft monitoring, Silver told the committee.
A hot line set up by the hospital has provided no guidance in the investigation, Silver said.
Hope Hammond, chief privacy officer for Clark County, said officials met five days after learning of the breach to determine how it occurred, and that PIN numbers will be used to track the use of hospital copy machines.
Face sheets will also be modified to hide social security numbers, she said, and additional door locks and electronic controls will be added at the hospital.