FBI looking at UMC records leak

Agent says ‘multiple federal laws’ might have been violated

Tiffany Brown

University Medical Center, which is Clark County’s only publicly funded hospital.

By Marshall Allen (contact)

Saturday, Nov. 21, 2009 | 2 a.m.

UMC has set up a hotline. Call (888) 691-0772 if you have information regarding the possible leak of patient information, or if you are a former patient who has received unsolicited contact from an attorney's office.

Hospital privacy leak could harm patients (11-20-2009)
FBI, hospital in talks over leak of patient records (11-20-2009)

Accident patients who have been treated at UMC and contacted by legal representatives are invited to contact reporter Marshall Allen at 259-2330 or marshall.allen@lasvegassun.com.

More Sun health coverage

U.S. Department of Health & Human Services: Health Information Privacy
University Medical Center of Southern Nevada

Rory Reid

Cathleen Allison / Nevada Appeal

Kathy Silver

Lawrence Weekly

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

UMC officials spent Friday determining how they would respond to the Sun’s report that protected patient information allegedly has been sold so ambulance-chasing attorneys can harvest clients.

FBI Special Agent Joseph Dickey said the agency met with officials of the county owned hospital and has begun “evaluating” the unauthorized release of confidential patient records.

Dickey said he could not confirm whether the FBI had officially opened an investigation. The matter appears to violate the federal Health Insurance Portability and Accountability Act, better known as HIPAA, a federal law that guards patient privacy.

“The allegations seem to be very serious,” Dickey said. “Absolutely, they are serious, on a number of fronts. There could be multiple federal laws that are violated.”

He added that this is the first time he has seen such a potential violation in Las Vegas.

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Hospital CEO Kathy Silver said the hospital called Metro, but the case was referred to the FBI.

The county’s response is an about-face for hospital and county officials. Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Commissioner Lawrence Weekly, chairman of the hospital’s board of trustees, told the Sun that he was warned almost two weeks ago by “several credible people” that someone was leaking private patient information to an outside attorney. But Weekly did not report the information to anyone at UMC because he was not familiar with the HIPAA laws — which include penalties of up to $250,000 in fines and 10 years in jail.

The hospital’s alarm bells went off Thursday, when the Sun told Silver that it had obtained, from a source concerned about the security breach, 21 UMC “face sheets,” the documents that provide an overview of each patient case including personal information on the patient and family members, billing details and an overview of injuries.

The documents related to patients who had been injured in traffic accidents on Oct. 31 and Nov. 1. The source did not know how the copies of the face sheets were leaked from the hospital, but said he obtained them through a chain of concerned people in the medical community who were frustrated by the hospital’s lack of response to the HIPAA violations. Face sheets have been leaked from UMC for months, the source said he believes.

Patients and families listed on the face sheets were stunned when they were contacted by the Sun and told of the violation of their privacy.

Cheryl Mayes suffered an eye injury in a car accident Nov. 1 and was rushed to UMC’s trauma center. Both hers and her husband’s personal information was contained in a face sheet that was leaked.

“It’s out of line,” Robert Mayes, her husband, told the Sun. “It’s negligence on the part of the hospital and their administration for the way they handle records.”

Mayes said he was not shocked that someone in these economic times would sell his patient information from the hospital. He said he was disappointed and “a little angry,” but that “it’s just something you deal with.”

Another man whose Social Security number was compromised because his daughter was at the hospital Oct. 31 said he was “shocked” and felt “betrayed” by UMC.

Meanwhile, some medical professionals said they were not surprised by revelations of information leaks at UMC.

“That’s been going on for a long time,” said a nurse who worked in the UMC trauma center.

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

She later heard from other attorneys that they had nurses on the payroll who worked in the trauma department.

“For every referral they get a couple thousand dollars,” the nurse was told.

The nurse said she never told any supervisors because she never knew for certain who was involved. But she said she knew that “somebody was going to get bitten bad with this one. If it’s happening with as much frequency as I’m hearing, it’s going to explode one of these days.”

Phil Pattee, assistant bar counsel for the State Bar of Nevada, said attorneys are not allowed to solicit clients directly and are not allowed to have anyone do so on their behalf. They are also not allowed to split fees with third parties who are not attorneys, he said.

The bar, which licenses attorneys, would be “very interested” if the allegations reported by the Sun are true, Pattee said. Attorneys found guilty of such allegations could be publicly reprimanded, suspended or disbarred, he said.

Perhaps the most galling fallout of the breach was shared Friday by a man whose middle-aged loved one is fighting for life in UMC’s Intensive Care Unit.

He told the Sun that a few days ago a company selling burial insurance left him a message at home. “Protect your loved ones from the burden of paying for your burial,” the message said, guaranteeing acceptance regardless of medical condition. He had never before received such a call, and had not sought such services.

After reading the Sun’s story of the leaked patient information, the man wondered if UMC employees had sold the patient’s personal information to the burial insurance company. He described such behavior by employees as “mercenary.”

“How jaded are they in this whole life and death thing that they feel comfortable making money on whether somebody lives or dies while under their care?” he said.

Sun reporter Richard Serrano contributed to this story.

Discussion: 11 comments so far…

Comments are moderated by Las Vegas Sun editors. Our goal is not to limit the discussion, but rather to elevate it. Comments should be relevant and contain no abusive language. Comments that are off-topic, vulgar, profane or include personal attacks will be removed. Full comments policy.

By mycroft6

Nov. 21, 2009

5:28 a.m.

Suggest removal

You just wait if they catch the people doing this and arrest them they will not want their names in the paper because it will invade their privacy.
By bcfrancis

Nov. 21, 2009

6:40 a.m.

Suggest removal

This is unbelievable! Kathy Silver should be fired immediately.

The County should sell UMC to a private corporation that knows how to properly run a hospital. UMC is nothing but money pit to both tax payers and the County.

It has had has nothing but crooks and total incompetence in charge.
By guns4hire

Nov. 21, 2009

7:13 a.m.

Suggest removal

and how much American taxpayer money was handed out to the criminal Hindus that poisoned innocent defenseless elderly people for profit? Millions of dollars stolen by shameless people -

And the same government can't even catch an ALKaiDa operative in midst of own Army.

It's all about your money and how they know how to spend it the best.
By neiman1

Nov. 21, 2009

8:13 a.m.

Suggest removal

Public hospital, public employees. Now lets put all your medical records on a government data base where they will be safe.

The problem with government programs is they are still run by people. Having the government in charge actually lowers the safety of the program as protected employees can't be fired with government regulations.
By STARBEAMS

Nov. 21, 2009

9:15 a.m.

Suggest removal

Having worked in a KCMO major metro Trauma Level One hospitals in the health information technology department where every trauma in the medical world comes together on w/e's along with the clinic pulls for the week and refiling the records from the daily clinics that were pulled the night before and morning before, this has to be a breach of employee confidentiality somewhere in the hospital system.

A very promenient lawyer whose family owned Katz Drug Stores hung around the one hospital bars watching the waitresses. This was before Viagra. God only knows where he hangs now.
By RustyShackleford

Nov. 21, 2009

1:09 p.m.

Suggest removal

So much for the theory espoused yesterday that by publishing this story, the Sun prevented the possibility of an investigation into this issue. Can't wait to see what that poster has to say now...
By Lenny_V

Nov. 21, 2009

1:28 p.m.

Suggest removal

Someone is going to jail.
By wizardofOz

Nov. 21, 2009

1:46 p.m.

Suggest removal

"...Commissioner Lawrence Weekly, chairman of the hospital's board of trustees, told the Sun that he was warned almost two weeks ago by "several credible people" that someone was leaking private patient information to an outside attorney. But Weekly did not report the information to anyone at UMC because he was not familiar with the HIPAA laws -- which include penalties of up to $250,000 in fines and 10 years in jail...."

What kind of uneducated crap-ola is this. This is just ANOTHER shining example of the useless elected tripe in office.

"Not familiar"...?

HOW MUCH YOU WANNA BET THIS GUY'S COMPLETELY FAMILIAR WITH HOW MUCH OF MY TAX MONEY HE IS PAID TO SHOW UP TO TWO MEETINGS A MONTH.

HOW MUCH YOU WANNA BET THIS GUY'S COMPLETELY FAMILIAR WITH WHO IS DONATING (AND HOW MUCH) TO HIS CAMPAIGN.

HOW MUCH YOU WANNA BET THIS GUY'S COMPLETELY FAMILIAR WITH EXACTLY SURE WHO HE'S COVERING FOR OVER AT UMC.

HERE'S A LINK TO CHECK CAMPAIGN FINANCE CONTRIBUTIONS AND EXPENSE REPORTS FOR CLARK.

IT'S FREE, AND YoWzA! DOES IT WORK WONDERS:

http://redrock.co.clark.nv.us/campaignfi......
By wizardofOz

Nov. 21, 2009

1:51 p.m.

Suggest removal

Lenny_V:
"Someone is going to jail."

START WITH THIS "CHAIRMAN" CRUMB AND WORK YOUR WAY UP AND DOWN (AND ACROSS) FROM THERE.
By magoo61

Nov. 21, 2009

11:46 p.m.

Suggest removal

And the lawyers buying the information will absolutely be disbarred and jailed....NOT!!! Maybe some pro-bono work if anything, protectionist State Bar, Medical board, Coroners Inquest, Sheriff, DA, AG, but the pour bastard who sold the info to pay the mortgage that they were swindled into or pay the kids college tuition will get prison time and restitution. The taxpayer will pay millions to those wronged. The breaking point is coming, I can feel it!