In recent days, five new instances of healthcare staff data theft have been discovered in Texas, New York, Washington, and Colorado.
Manhattan’s Lenox Hill Hospital have PHI stolen by Husband and Wife Team
In excess of 80 patients who visited the emergency room of Manhattan’s Lenox Hill Hospital have had their identities stolen and have possibly been defrauded, after a former staff member of the hospital stole their Protected Health Information.
Kyle Steed, 30, was working at Lenox Hill hospital, taking up a position in 2011. Between January 2014 and February 2015 it was claimed he stole patient data which was used by his wife to defraud patients. Krystle Steed, 30, was given the data and used the information to take control of the patients’ bank accounts and obtain credit. She was able to convince banks and credit card companies to share funds to allow her to buy things in some of New York’s most exclusive retail outlets.
Patients’ credit card accounts were used to purchase hundreds of thousands of dollars’ worth of luxury goods. Overall, more than $300,000 of goods were obtained by many methods of deception. She also allegedly tried to obtain more than $1,000,000 in goods from Saks Fifth Avenue before she was arrested. Upon discovery of the crimes, Kyle Steed was relieved of her work with the hospital and subsequently had his employment contract terminated.
The pair were charged on Wednesday this week with many felonies including identity theft, attempted grand larceny, grand larceny, and criminal possession of stolen properly. All impacted patients are in the process of being notified of the data theft and crimes carried out against them.
450 Patient Records Stolen by Woodland Heights Medical Center Worker
A Texas ranger recently found out that a former employee of Woodland Heights Medical Center in Lufkin, TX, had been illegally taking patient medical records while working at the hospital. A search of the employee’s home revealed approximately 450 “face sheets” had been wrongfully removed from the hospital.
The face sheets include a summary of patient health information that include the patient’s name, contact telephone number, address, date of birth, employer, employer’s address, emergency contact phone numbers, guarantor’s name, account number, medical record number, health insurance details, and Social Security information. The dates saved on the face sheets were between 2013 and 2015.
The face sheets have all the information required to commit identity theft, medical fraud, tax fraud, and health insurance fraud, and consequently patients face a high chance of coming to financial harm due to the theft.
It is not obvious at this point in time when the data were taken, and if they have actually been used inappropriately. The presence of the data in the former employee’s home strongly suggests the information was taken with malicious intentions, although the individual in question has not been charged as of yet.
A thorough review into the security breach is currently ongoing, with both the hospital and law enforcement looking into the data theft. All patients impacted by the data breach were sent breach notification letters on December 1, and have been provided with credit monitoring and protection services for a period of one year for free.
Improper Accessing of Patient Medical Files Uncovered by Colorado Hospital
In the past few days, it was revealed that a staff member at a UCHealth medical facility in Northern Colorado was also found to have been viewing the medical records of patients without proper permission. That security breach impacted 927 patients, although the accessing of the files was believed to have been out of curiosity, not with the aim of committing fraud.
Two Instances of Healthcare Staff Data Theft Discovered by PeaceHealth
Two cases of PHI theft by employees have been uncovered in Washington Medical centers operated by PeaceHealth. The first happened in August, 2015 and impacted patients of the PeaceHealth Southwest Medical Center, WA. The second took place in October and impacted patients of the PeaceHealth St. John Medical Center, WA. According to a breach notice published on the healthcare provider’s website, the first breach impacted 346 patients and the second affected 595 patients.
The first data breach happened when an employee was sending data to a personal email account from the hospital, while the second was caused when an employee logged on to the healthcare provider’s system through third party websites after departing employment.
The OCR breach reporting portal revealed that a PeaceHealth data breach was added recently that states 1,407 patients have been affected. It would seem that the second data breach is more significant than first thought.
These five breaches of healthcare private data theft highlight the importance of carrying out regular audits of access logs to determine whether healthcare workers are improperly viewing patient medical files and the extent to which medical records are being inappropriately seen by healthcare workers.