Broward Health data breach released patient information to tax fraud ring

By Dan Christensen, FloridaBullog.org 

For the second time in three years, a data breach at Broward Health has caused the release of personal patient information in what one district executive called “a ring of thugs.”

Broward Health disclosed the breach on its website last month, saying it was advised by “law enforcement authorities” on May 12 that “patient information was discovered at an individual’s home during a routine investigation.”

Broward Health’s internal investigation later determined the sensitive patient information “was taken from Broward Health Imperial Point” in Fort Lauderdale by “an unidentified individual.”

The stolen information were hospital Facesheets that contain a patient’s full name, date of birth, address, phone numbers, Social Security number, primary insurance provider, insurance guarantor, reason for visit, emergency contact/next of kin information.

“The data removal is believed to have occurred between November 2011 and March 2012. We have notified 126 former patients or their listed next of kin of the privacy breach by mailing a letter to their last known address on September 23, 2016,” Broward Health’s disclosure said. “We also offered them an identity theft protection service at no cost.”

No explanation was given for the gap in time between the breach and the date it was discovered. Broward Health, however, said it has completed its internal probe and is “reviewing and enhancing safeguards to better ensure the security of patient information.”

Doris Peek, Broward Health’s senior vice president and chief information officer, said the breach is the latest in a series of data thefts at Florida hospitals, including Fort Lauderdale’s Holy Cross, Hollywood’s Memorial Regional and the University of Florida’s Shands Hospital in Gainesville.

‘Busted last year’

“This ring of thugs got busted last year,” said Peek. “They send in tax information to the IRS about persons to get their tax refund. They targeted the older and sick population.

Peek said the identity theft ring has paid hospital registrars, among the lowest paid of hospital workers, to provide them with printed copies of the Facesheets.

Police in Coral Springs, responding to a domestic violence report, found the Broward Health Facesheets, and turned them over to Broward Health’s security department, said Peek.

Broward Health disclosed a larger data breach in 2013 at Broward Health Medical Center, the hospital district’s flagship in downtown Fort Lauderdale. That time Broward Health sent letters to approximately 960 former patients notifying them of the breach involving their personal information.

Again the breach involved misappropriated Facesheets. However, Broward Health managed to identify the culprit as “an employee who no longer works at the hospital.” The ex-employee was not named. The breach was said to have occurred between October and December 2012.

In September 2013, Holy Cross notified 9,900 former patients that a former employee had wrongly accessed their personal information. CBS Miami reported then that an investigation by the hospital found “the employee may have wanted the information to file fraudulent tax returns.”
Holy Cross suffered another breach in 2010 when an identity theft ring obtained emergency room files to steal Social Security numbers and other information of about 1,500 patients, according to a report in the Sun-Sentinel. Four people were arrested, including an emergency room employee.

In 2012, Memorial Healthcare System notified about 9,500 patients of an investigation into two ex-employees who improperly accessed patient records. The former employees were apparently using the private information in those records to file false tax returns, according to a story at the time by Modern Healthcare.