UMC admits to prolonged patient privacy leak

Sam Morris

The entrance to University Medical Center’s trauma unit and emergency room is shown in 2009.

By Marshall Allen

Tuesday, Jan. 26, 2010 | 2 a.m.

University Medical Center officials said Monday that personal information of traffic accident victims was likely leaked from its trauma center for more than three months, and stopped only after the Las Vegas Sun told the hospital about the breach.

The hospital’s statement was the first acknowledgment that the leak of patient data was more widespread than it had previously said, and closer in time to what the Sun had reported.

The FBI launched an investigation into the leaks after the Sun told hospital officials Nov. 19 that it had come in possession of “face sheets,” the cover sheets that contain personal information about each case, such as Social Security numbers, birth dates and accident details and injuries sustained.

The hospital’s statement Monday said the leaks stopped the day of the Sun’s inquiry, but did not explain how it knew that. The hospital said it’s believed that the face sheets were being released since July 30.

The Sun reported Nov. 20 that someone at the hospital had allegedly been selling the patient information to personal injury attorneys to find clients. The breach had apparently been going on for months, the Sun reported.

The FBI is investigating because such leaks of patient data would violate the Health Insurance Portability and Accountability Act, better known as HIPAA, a federal law that guards patient privacy in health care facilities.

UMC waited almost a month to notify patients about the leak of their personal information, and that of people who accompanied patients to the trauma center. UMC is offering the victims free credit monitoring services for a year, although there have not been any reports that the data have been misused.

“UMC apologizes for any inconvenience or concern this may cause our patients,” the statement said.

In addition to working with federal investigators on the case, UMC is finding ways to improve its privacy practices, the statement said.

When the Sun talked Nov. 19 to Kathy Silver, the hospital’s CEO, she said it was unlikely that there was a breach of private patient information. She had heard rumors of a leak during the summer, but a cursory investigation she conducted had revealed nothing, she said.

“I thought it was a nonissue,” Silver said at the time.

That’s when the Sun told her that it had 21 UMC face sheets from Oct. 31 and Nov. 1 traffic accident victims — verifying the leak.

“Wow,” Silver said.

A source in the medical community had provided the newspaper with the documents. The source is several degrees removed from the leak at UMC and did not know exactly where the documents came from. Many people knew about the leak and had tried to tell the hospital’s administrators and Clark County commissioners, the source said, but no action had been taken. The commission serves as UMC’s board.

UMC officials did not return requests for comment for this story. The hospital said in its statement that its original investigation only included Oct. 31 and Nov. 1. But then it became clear that there was need to expand the investigation.

Congress recently increased the penalties for HIPAA violations. A person who violates a patient’s privacy with the intent to sell information can be fined up to $250,000 and imprisoned for up to 10 years.

UMC has a spotty record of adhering to patient privacy laws, Clark County auditors have previously found. Three county audits since June 2007 showed that although UMC employees are almost universally aware of the patient privacy policies mandated by HIPAA, they have had a more difficult time with implementation.

Failure by the UMC workforce to comply with privacy safeguards “makes the hospital vulnerable” to compromising patient information, county auditors wrote Sept. 15.

“Each of these potential events presents a risk to patient safety, loss of customer confidence, while significant failures may result in federal and state investigations that can result in corrective actions and fines,” the auditors wrote.

Anyone with information about the unauthorized release of information, or any patient who has received unsolicited contact from a law firm, is asked to call the hospital at 1-888-691-0772, or Hope Hammond, UMC’s privacy officer, at 383-3854.