A lack of urgency

Monday, Dec. 14, 2009 | 2:03 a.m.

Officials at University Medical Center, Clark County’s public hospital, were told three weeks ago that at least 71 patients’ names, birth dates and Social Security numbers were leaked. Yet as Marshall Allen reported in Thursday’s Las Vegas Sun, the hospital hasn’t rushed to let the patients know.

At a legislative hearing Wednesday, hospital CEO Kathy Silver said UMC hadn’t contacted patients to tell them of the breach. On Friday, Clark County officials said they had sent letters to more than 100 people who had been treated at UMC’s trauma center Oct. 31 and Nov. 1, letting them know of what happened and offering them a free year of credit monitoring.

That notice is long overdue. In the age of identity theft, we find the delay unconscionable.

Unfortunately, the hospital has not shown any sense of urgency in dealing with this case. Silver and Clark County Commissioner Lawrence Weekly, chairman of the hospital’s board of trustees, had heard of rumors about leaks of patient information to personal injury attorneys when the Sun contacted them last month. Weekly said he was planning to ask around about the rumors. Silver said she had dismissed the rumors after a cursory inquiry.

Clark County Commission Chairman Rory Reid called for a full investigation after the Sun received information on 21 patients who had been in car accidents from a source. The source, who expressed concern about the release, said the situation has been going on for months, if not years. The belief is that the information is being sold or given to personal injury attorneys trolling for clients. A paramedic and a UMC nurse told the Sun that they had been offered money for patient information but refused.

The FBI is investigating potential violations under the federal Health Insurance Portability and Accountability Act, which protects patient privacy, and we hope investigators are able to quickly root out the person or people doing this and put an end to such behavior.

Silver said she would wait for the FBI investigation to decide whether to tell other patients about what has happened. It is unknown how long the investigation will take to complete.

The hospital has 60 days from the time it learns of a leak to inform patients whose information was released, but it shouldn’t wait. Hospital officials knew Nov. 19 that at least two days’ of patient information — and information on family members and insurance guarantors — had been given out. The hospital should have contacted anyone whose information was released within a few days so they could take action to protect themselves from identity theft. UMC officials’ delay has left these people vulnerable to fraud.

UMC has a responsibility to protect patient information, and so far, officials haven’t given the public any confidence that they’re up to the task. This should be a higher priority because it goes directly to the hospital’s credibility. And after a string of problems at UMC over the past few years, including a political corruption case involving its former CEO and serious budget problems, the hospital has little credibility to spare.