Patients at risk of identity theft may wait 60 days to find out

By Marshall Allen

Thursday, Dec. 10, 2009 | 2 a.m.

Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital — a crime being investigated by the FBI.

But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said.

One victim says that is too long to wait to tell patients they may be at risk of identity theft.

The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information — the kind that can be used for identity theft — was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon.

The man was stunned and angry to learn from someone other than hospital officials that his data had been leaked. Hospital officials should have notified him “way sooner,” he said. “I would’ve given them two or three days after they initially found out. But this is a major thing — a priority thing!”

Silver was called before the state’s Legislative Committee on Health Care as a result of Sun stories that exposed an allegedly systemic leak of patient information at the hospital.

Silver assured the committee that the hospital is committed to uncovering the leak, and when the employee or employees are identified, “termination will be the least of their problems. It’s a serious situation.”

The FBI has launched an investigation into violations of the federal Health Insurance Portability and Accountability Act, better known as HIPAA — which includes penalties of up to $250,000 in fines and 10 years in jail.

The Sun reported the leak — the latest scandal to hit the beleaguered hospital — after the newspaper obtained 21 UMC patient “face sheets” — cover sheets that include overviews of each case — from a source who was concerned about the leak. The sheets were from Oct. 31 and Nov. 1 and were for people involved in traffic accidents.

The Sun’s source said he was several degrees removed from the leak and did not know how the records were being released from the hospital, but that they were allegedly being sold for months, or even years, to ambulance-chasing attorneys so they could mine for clients.

The legislative committee meets throughout the year to prepare for the next session. Silver spent about 20 minutes assuring legislators that she is taking the privacy breach seriously. But her responses may reveal a similar lack of rigor in addressing the problems that led to the breach in the first place.

UMC knew Nov. 19 that patients from two days had their information leaked, Silver told the panel. That puts 71 patients at risk, Silver said, but the number doubles when including family members or guarantors with information on the sheets.

When the hospital gets around to notifying the victims, they will learn that UMC will provide a year of credit monitoring.

Ashley Katz, executive director of the Texas-based advocacy group Patient Privacy Rights, said three weeks is a long time for patients to learn of the risk, although it’s within UMC’s legal limits for disclosure. The breach is going to hurt the community’s trust in the hospital, Katz said, and a delay in disclosing the problem to patients could compound it.

“That will affect its fundraising, who chooses to seek services there and its reputation,” Katz said.

By many accounts, information has been leaked for a long time. The source who told the Sun about the leak said it’s thought to have been taking place for months, or even years.

A UMC nurse told the Sun she was wined and dined years ago by attorneys who offered payment for private patient information. She said she refused. A paramedic also told the Sun that he’s been approached more than once outside of UMC by people offering cash for patient information. He said he also refused.

Silver told legislators it’s not known whether the leak was an isolated incident, a systemic problem or some kind of attempt to embarrass the hospital. She said she would wait for the FBI investigation to determine whether any other patients should be notified about the privacy breach. That could take months or years.

Silver did not tell legislators — and they did not ask — that she and a Clark County commissioner had heard rumors of the investigation before the Sun began its inquiry. Silver told the Sun she heard vague rumors about privacy information being leaked during the summer, but after a cursory inquiry she dropped the matter.

County Commissioner Lawrence Weekly, chairman of the hospital’s board of trustees, had been told about the security breach about 10 days before the Sun contacted him. But he said he didn’t do anything about it because he wasn’t sure leaking patient information was illegal.

Silver and Hope Hammond, Clark County’s chief privacy officer, assured the elected officials they are doing what they can to ensure there will be no more violations. Personal identification numbers will be used to track the use of hospital copy machines. Face sheets will also be modified to hide Social Security numbers and additional door locks and electronic controls will be added at the hospital.

The lawmakers were understated during Silver’s presentation. Sen. Valerie Wiener, D-Las Vegas, chairwoman of the committee, said her concern was that although it is important to train UMC’s staff to comply with patient privacy laws, the hospital also must be cognizant that some may intentionally breach the laws.