Details emerge on Holy Cross Hospital breach
Last week, we noted that Holy Cross Hospital in Florida was notifying 9,900 patients that an employee had stolen their information – possibly for a tax refund fraud scheme. A letter to the Maryland Attorney General’s Office provides some additional details on the breach that makes the tax refund fraud scheme more probable, and not just possible. In a letter from their attorneys dated September 23, they state that Furthermore, it is believed that in some cases the employee contacted the IRS.gov shortly thereafter presumably to obtain false taxpayer filing PIN codes or to reset existing PIN codes. …
FL: Holy Cross Hospital patient records breached, possibly for tax refund fraud scheme
Brian Bandell reports: Holy Cross Hospital notified 9,900 of its patients that their personal information might have been breached by an employee who may have intended to commit tax fraud. Patient names, dates of birth, addresses and social security numbers were inappropriately accessed by an employee who has since been terminated, the nonprofit hospital said. This occurred between November 2011 and August 2013. Read more on South Florida Business Journal. There’s no notice on the hospital’s site at this time and it’s not yet clear how they learned of the breach. CBS Miami adds an interesting detail: According to hospital officials, they recently learned that an employee in the Privacy Office had inappropriately accessed thousands of patient records. Bandell also provides some stats on patient data theft in Florida that are of interest: Identity theft from health care providers has been near epidemic levels in South Florida, as covered by a Business Journal feature story in April. More than 1.4 million patient records in South Florida have been impacted since 2009, according to federal records. Often, these records are stolen by people looking to commit identity theft or make fraudulent tax refund filings. And that’s just south Florida and only the cases that have already been detected and reported.
(follow-up) FL: Holy Cross Hospital ID theft ring members plead guilty and are sentenced
Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, and Henry Gutierrez, Special Agent in Charge, United States Postal Inspection Service, announced yesterday’s sentencing of Jimmy Lee Theodore, 27, of North Miami, following his plea of guilty to charges of wire fraud, unauthorized use of an access device (debit card), and aggravated identity theft. U.S. District Judge Donald C. Middlebrooks sentenced Theodore to 175 months’ imprisonment, to be followed by three years of supervised release. The Court also ordered $631,000 in restitution. According to statements made and documents filed during his guilty plea on April 6, 2011, Theodore and Albert Andrulonis used co-defendant Mildred Alexis to recruit co-defendant Natasha Orr, an emergency room employee at Holy Cross Hospital, to steal patients’ personal information from emergency room records. Alexis also recruited co-defendant Raushanah Bowleg, who worked for a doctor in Aventura, to steal similar patient information from her employer. Alexis then sold the stolen patient information obtained from Orr and Bowleg to Andrulonis. Alexis shared a portion of proceeds from the sale of the stolen information with Orr and Bowleg. Andrulonis and Theodore used the stolen patient information to gain on-line access to existing accounts and telephone banking services at J.P. Morgan Chase Bank and to make cash withdrawals and purchase money orders through ATM machines. At sentencing, the court held Theodore responsible for a $419,000 loss incurred by Holy Cross Hospital due to the identity theft and a $212,000 loss incurred by J.P. Morgan Chase Bank. The court also found that Theodore was the manager of the operation, that the fraud used sophisticated means, and affected at least 250 victims. Co-defendants Andrulonis, Orr, Alexis, and Bowleg and have all either pled guilty or are awaiting sentence. On June 7, 2011, Andrulonis, 27, of Davie, was sentenced to 132 months’ imprisonment, to be followed by three years of supervised release and the payment of $300,000 in restitution. On April 15, 2011, Orr was sentenced to 24 months in prison, to be followed by 3 years of supervised release. On May 25, 2011, Alexis was sentenced to 40 months in prison, to be followed by 3 years of supervised release. On May 27, 2011, Bowleg, 30 of Miami, pled guilty to wrongful disclosure of individually identifiable health information. Sentencing is scheduled for August 15, 2011. Source: United States Attorney’s Office for the Southern District of Florida. [Previous coverage on PHIPprivacy.net here. ] According to the complaint and the stipulation of facts filed, the unnamed doctor whose patient files were also stolen was Dr. Elliot Stein of Aventura. Investigators found typed lists with his patients’ names, addresses, Social Security numbers, dates of birth, and specific health information.
Former Holy Cross Hospital employee sentenced to prison for disclosing patient information
Natasha Lolita Orr, 36, of Miami, a former employee at Holy Cross Hospital, was sentenced today after previously pleading guilty to disclosing individually identifiable health information. During the previous plea hearing, Orr admitted to stealing patient information from the Holy Cross Hospital Emergency Room during her employment at the hospital. She then sold that stolen information to co-conspirators who used the patients’ information to fraudulently obtain bank account information in the names of the patients and obtain debit cards in the patients’ names. Orr was sentenced to 24 months in prison, including 12 months of home confinement, to be followed by 3 years of supervised release. Co defendants Jimmy Lee Theodore, 27 of Miami, Albert Andrulonis, 27 of Davie, and Mildred Conception Alexis, 42 of Miami, all pled guilty and are awaiting sentencing. Co-defendant Raushanah Bowleg, 30, of Miami, is scheduled to go trial on May 31, 2011. Previous coverage of this case on PHIprivacy.net Source: U.S. Attorney’s Office, Southern District of Florida
Former Holy Cross Hospital employee sentenced to prison for disclosing patient information
Natasha Lolita Orr, 36, of Miami, a former employee at Holy Cross Hospital, was sentenced today after previously pleading guilty to disclosing individually identifiable health information. During the previous plea hearing, Orr admitted to stealing patient information from the Holy Cross Hospital Emergency Room during her employment at the hospital. She then sold that stolen information to co-conspirators who used the patients’ information to fraudulently obtain bank account information in the names of the patients and obtain debit cards in the patients’ names. Orr was sentenced to 24 months in prison, including 12 months of home confinement, to be followed by 3 years of supervised release. Co defendants Jimmy Lee Theodore, 27 of Miami, Albert Andrulonis, 27 of Davie, and Mildred Conception Alexis, 42 of Miami, all pled guilty and are awaiting sentencing. Co-defendant Raushanah Bowleg, 30, of Miami, is scheduled to go trial on May 31, 2011. Previous coverage of this case on PHIprivacy.net Source: U.S. Attorney’s Office, Southern District of Florida
(update) Holy Cross Hospital (FL) breach affected 1500
As a small update to the Holy Cross Hospital breach reported previously on this site: Holy Cross’s report to HHS indicates that 1500 patients were affected by the July 27th theft of paper records. It’s not clear why the hospital took until Dec. 2 to report the incident to HHS as it had publicly revealed the incident on Nov. 11. Nor is it clear whether they will be fined for delayed notification HHS, although somehow I doubt HHS will fine them as they don’t really seem to fine anyone!
Holy Cross Hospital Notifies Emergency Room Patients of Possible Data Breach
FT. LAUDERDALE (November 10, 2010) – Holy Cross Hospital announced today that it has begun sending letters to notify some of its hospital Emergency Room patients of a possible compromise of personal data from patient data sheets and to offer free credit monitoring services. Holy Cross Hospital was informed by federal authorities that personal data from 38 Holy Cross Hospital patient data sheets had been recovered in a criminal investigation. Working in cooperation with the U.S. Attorneys Office and U.S. Postal Inspection Service since June, Holy Cross conducted a thorough internal investigation and eventually identified an employee as the source of the data theft. The individual’s employment at the Hospital was immediately terminated. The investigation determined that this was not a compromise of the hospital’s computer systems or network security, but involved paper copies of patient data sheets. These sheets contained basic identifying information including names, addresses, dates of birth, Social Security numbers, and brief descriptions of initial diagnosis from the Emergency Room visits. “We place the highest priority on protecting the privacy and security of our patients’ confidential personal information,” said Dr. Patrick Taylor, President and CEO of Holy Cross Hospital. “We expect all Holy Cross employees to reflect this institution’s strong values of caring and dedication to the welfare of our patients. For that reason we are outraged and saddened by this former employee’s violation of that trust placed in us by our patients. We pledge to continue our full cooperation with law enforcement officials and prosecutors to ensure the administration of just punishment to all of those connected with this reprehensible act.” At this time the hospital believes as many as 1,500 patient data sheets of Emergency Room patients may have been compromised by this employee during the period of April 2009 to September 2010. Since it is impossible to determine the identities of all those possibly affected, the hospital is taking the extra precaution of notifying each patient that came through the Emergency Room during the period of time that the employee worked in the Emergency Room. Patients who received treatment in other hospital departments are not part of this notification and are not affected by this incident. The process of sending out the notification letters began this morning. “While it may be impossible to absolutely prevent an employee from violating our values and policies for personal gain, we are determined to take all necessary steps to review and strengthen our administrative procedures to ensure that we are providing the highest level of data security possible,” said Dr. Taylor. According to Dr. Taylor, the hospital has already made a procedural change that limits the amount of key personal data included in the type of documents involved in this incident. The hospital is also conducting a comprehensive review of its systems, policies and procedures to identify any other possible improvements. In the letter that the affected patients will receive, Holy Cross Hospital is offering one year of free credit monitoring services from Experian to help them monitor against the possibility of identity theft and providing an information line to field patient inquiries (1-800-388-4301). Additional information is available at www.holycrossIDprotect.com. Source: Holy Cross Hospital
UVA Health notified patients after Ciox Health data breach (updated)
Someone on Twitter asked me what the first breach of 2022 would be. The following public notice is not the first breach of 2022. It is a 2021 breach that just showed up after midnight in my news search this morning. And because it involves a third-party breach, we may see other covered entities affected, too. DataBreaches.net has reached out to Ciox Health to ask for more details. In the meantime, here is UVA’s public notice: On December 3, 2021, UVA Health, including the UVA Medical Center in Charlottesville and UVA Culpeper Medical Center in Culpeper, learned from Ciox Health, a vendor of health information management services for UVA Health and many other health systems and providers nationwide, that an unauthorized person accessed a Ciox Health employee’s email account and may have been able to view health information of patients of several of Ciox’s health system and provider clients, including the information of 429 UVA Health patients (.01% of total UVA Health patient records). Ciox Health has informed UVA Health that the unauthorized access occurred between June 24 and July 2, 2021, and during that time an unauthorized individual may have downloaded emails and attachments in the account. Ciox Health began investigating this incident as soon as they detected it and promptly reported it to UVA Health. They have provided the following details regarding this incident: What Happened? Ciox Health became aware of unusual activity on the email account of one of their employees and, after securing the account, launched an investigation with the assistance of an outside cybersecurity firm. Unfortunately, Ciox Health has indicated that their investigation was unable to determine whether any emails or attachments were actually viewed or acquired. The activity occurred solely within Ciox Health’s systems and did not in any way compromise the security of UVA Health’s electronic medical record or other systems. What Information was Involved? Ciox Health reviewed the information contained in their employee’s account and determined that the information contained in the account included patient names, dates of birth, provider names and dates of service. Patients’ Social Security numbers and financial information were not viewable. What Are Ciox and UVA Health Doing to Address this Issue? Ciox Health assures us that they are implementing additional procedures to further strengthen email security including best-practice multi-factor email authentication as well as enforcing annual compliance training specific to security awareness and identifying and avoiding suspicious emails. Because the data breach occurred within Ciox Health’s systems, UVA Health has no reason to believe that its systems or security have been compromised. UVA Health mailed letters to those patients on December 30, 2021 who Ciox Health was able to directly identify as potentially having been impacted by this issue. This publication is intended to make patients who might have been impacted but for whom we do not have sufficient information to contact them directly aware of this issue. What Can UVA Health’s Patients Do? Ciox Health has indicated that it believes the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox Health and has no indication that patients’ information has been misused. However, as a precaution, UVA Health recommends that all patients continue to review statements they receive from their healthcare providers and health insurance provider and to contact their provider or insurer immediately if there are charges for services they did not receive. And as always, it is important to observe email best practices by being aware and not clicking on links or attachments in emails from senders you do not recognize. If you have any questions or need additional information, Ciox Health will provide a dedicated call center for affected patients. Patients with questions or who need more information can call 855.618.3107 between 9 a.m. – 6:30 p.m. Eastern Time, Monday through Friday. UVA Health and Ciox Health apologize for this incident and regret any inconvenience or concern this causes our patients. Source Updated Jan. 3: Ciox responded to this site’s inquiry with the following statement: The security incident involved one employee’s email account. Because this employee worked in a customer service role, servicing customers nation-wide, there were many providers impacted. Ciox Health has previously reached out to impacted customers and notified appropriate regulators in accordance with applicable law. So it is still not clear exactly how many patients have been notified or impacted as a result of this third-party breach. Updated Jan. 5: Here is a list Ciox published of its clients on whose behalf it is providing notification: LIST OF HEALTHCARE PROVIDERS ON WHOSE BEHALF CIOX HEALTH IS PROVIDING NOTICE OF EMAIL SECURITY INCIDENT AdventHealth – Orlando Alabama Orthopaedic Specialists Baptist Memorial Health Care Butler Health Systems Cameron Memorial Community Hospital Centra Health Children’s Healthcare of Atlanta Coastal Family Health Center Copley Hospital DeSoto Memorial Hospital Health System EvergreenHealth Hoag Health System Hospital Sisters Health System Huntsville Hospital Health System Indiana University Health McLeod Health System MD Partners Niagara Falls Memorial Medical Center Health System Northern Light Mercy Hospital Northwestern Medicine Ohio State University Health System OrthoConnecticut Prisma Health – Greenville Health System Prisma Health – Palmetto Health Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System Trinity Health – Holy Cross Hospital Trinity Health – Mount Carmel Health System Trinity Health – Saint Alphonsus Health System Trinity Health – St. Francis Medical Center Trinity Health – St. Joseph Mercy Health System Union Hospital Healthcare System Women’s Health Specialist
Unencrypted laptops still a major cause of breach reports to HHS
Here’s a run-down of the 29 breaches HHS added to its breach tool today, organized by those we already knew about vs. ones that we didn’t know about. With today’s additions, the breach counter on HHS for breaches affecting over 500 patients stands at 711 since September 23, 2009 when HITECH reporting requirements went into effect. In the newest additions, approximately half of the incidents involved laptop or computer theft, and almost one fourth involved an intentional insider breach. Breaches previously reported on this blog, updated to include numbers reported to HHS if not previously disclosed: Saint Louis University notified HHS of their email breach. AHMC Healthcare Inc. and affiliated Hospitals notified HHS of laptop thefts, previously reported here and here. ICS Collection Service, Inc. on behalf of University of Chicago Physicians Group reported that 1,290 patients were affected by the exposure breach previously reported here. Memorial Hospital of Lafayette County named the vendor involved in its mailing error breach as Healthcare Management System. The number affected was reported to HHS as 4,330, although their public statement said 6,000. SSM Health Care of Wisconsin dba St. Mary’s Janesville Hospital notified HHS of the laptop stolen from an employee’s car. Carol L. Patrick, Ph.D notified HHS that 517 patients had PHI on computers stolen during an office burglary. Seton Healthcare Family notified HHS of the incident involving a stolen laptop. Sentara Healthcare notified HHS of the insider breach reported here. Reconstructive Orthopaedic Associates dba Rothman Institute notified HHS that 2,350 patients were affected by the employee theft of daily patient schedules. Hospice of the Chesapeake reported that 7,035 patients were affected by an employee e-mailing spreadsheets with their information to a home account that may have been hacked. The hospice’s statement at the time mentioned 500 patients. TSYS Employee Health Plan reported that 5,232 were affected by this insider breach. They do not seem to have named the business associate responsible, but that’s in previous coverage of this incident. CaroMont Medical Group reported that their incident involving unsecured e-mail affected 1,310. Broward Health Medical Center notified HHS of this insider breach after law enforcement uncovered the data theft. HOPE Family Health reported that 6,932 patients had PHI on the laptop stolen from a home. University of California,- San Francisco reported this laptop theft. Santa Clara Valley Medical Center reported that 579 patients had PHI on a stolen laptop. Holy Cross Hospital reported this insider breach North Country Hospital and Health Center reported that 550 patients had PHI on a laptop a former employee declined to return to them (they report it as theft). Hankyu Chung, M.D reported that 2,182 patients had PHI on a laptop stolen in an office burglary. Breaches reported to HHS not previously noted on this blog: 1. Good Samaritan Hospital in California notified 3,833 pacemaker patients about a laptop stolen on July 8. A statement linked from their homepage reads, in part: On July 8, 2013, we learned that a laptop computer containing information about pacemaker readings was missing. Initially we had understood the information was not linked to any patient identifying information, but on September 23, 2013, we learned that the laptop also had data files that could be linked to the pacemaker readings that included patient identifying information. We learned that the missing laptop included patient names, birth dates, addresses, telephone numbers, and health insurance company names. The data files also included patient diagnoses and treatment information related to patients’ cardiology conditions pertinent to their pacemakers. Social Security numbers of five patients were also included. The information on the computer was protected by a password and was stored in separate files that make it more difficult to access. The laptop did not, however, have the extra protection of encryption, which scrambles the information on the computer unless you are an authorized user. No financial information was involved. This incident did not affect all Good Samaritan Hospital patients, only some of the Hospital’s patients who had pacemakers checked from 1996 through July 2013. 2. Texas Health Presbyterian Dallas Hospital reported that 949 patients had PHI on a computer stolen on August 22. It took some searching, but I did locate a statement on their web site that says, in part: On August 23, 2013, Texas Health Dallas learned that the treatment planning computer was missing from the Gamma Knife department. The theft was immediately reported to the Dallas Police Department – Report Number 216375-A. The security cameras were reviewed and we were able to determine that the theft occurred on or about 6 p.m. on August 22, 2013. A copy of the video showing the perpetrator was provided to the Dallas Police Department. We continue to work toward identification of the perpetrator and have strengthened our security procedures. The computer was password-protected. It would be difficult to access the information without the password. The information on the computer included the following: name, date of birth, age, gender, radiology images, radiation therapy dose planning, treating diagnosis and the medical record number assigned by the hospital. We have no knowledge that any of the information included on the computer has been accessed or used inappropriately. However, we do urge you to contact law enforcement immediately if you notice any unusual activity related to any of your personal accounts. If you would like for us to flag your records for possible identity theft, we will be happy to do so. 3. Ferris State University – Michigan College of Optometry notified HHS about a malware breach affecting 3,947 that occurred in December 2011. Interestingly, I had recently noted a Ferris State U. breach over on DataBreaches.net, but those reports had not indicated that any patient data were involved. I was able to locate a later notice on the College of Optometry’s site that suggests that their report was, indeed, part of the same situation reported on DataBreaches.net. Neither the prior notice nor this one tells recipients that the malware resided on the server since December 2011: On July 23, 2013, we learned that an unauthorized person evaded our network security and placed a malware program on the computer we use to operate our website. That program had the technical ability to […]
(follow-up) FL: 5th suspect held in ID-theft ring targeting Holy Cross patients
Juan Ortega reports: Federal authorities have arrested the last of five suspects in an identity-theft ring that targeted patients at Holy Cross Hospital. Jimmy Lee Theodore, 27, of Pembroke Pines, was taken into custody Tuesday, charged with using patients’ stolen identities to obtain debit cards, authorities said. […] As a precaution, Holy Cross sent letters to 44,000 patients who visited the emergency room from April 2009 to September 2010, warning them to make sure their personal information is not misused. Read more on SunSentinel.com