Details emerge on Holy Cross Hospital breach

Last week, we noted that Holy Cross Hospital in Florida was notifying 9,900 patients that an employee had stolen their information – possibly for a tax refund fraud scheme. A letter to the Maryland Attorney General’s Office provides some additional details on the breach that makes the tax refund fraud scheme more probable, and not just possible. In a letter from their attorneys dated September 23, they state that Furthermore, it is believed that in some cases the employee contacted the IRS.gov shortly thereafter presumably to obtain false taxpayer filing PIN codes or to reset existing PIN codes. …

FL: Holy Cross Hospital patient records breached, possibly for tax refund fraud scheme

Brian Bandell reports: Holy Cross Hospital notified 9,900 of its patients that their personal information might have been breached by an employee who may have intended to commit tax fraud. Patient names, dates of birth, addresses and social security numbers were inappropriately accessed by an employee who has since been terminated, the nonprofit hospital said. This occurred between November 2011 and August 2013. Read more on South Florida Business Journal.  There’s no notice on the hospital’s site at this time and it’s not yet clear how they learned of the breach. CBS Miami adds an interesting detail: According to hospital officials, they recently learned that an employee in the Privacy Office had inappropriately accessed thousands of patient records. Bandell also provides some stats on patient data theft in Florida that are of interest: Identity theft from health care providers has been near epidemic levels in South Florida, as covered by a Business Journal feature story in April. More than 1.4 million patient records in South Florida have been impacted since 2009, according to federal records. Often, these records are stolen by people looking to commit identity theft or make fraudulent tax refund filings. And that’s just south Florida and only the cases that have already been detected and reported.

(follow-up) FL: Holy Cross Hospital ID theft ring members plead guilty and are sentenced

Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, and Henry Gutierrez, Special Agent in Charge, United States Postal Inspection Service, announced yesterday’s sentencing of Jimmy Lee Theodore, 27, of North Miami, following his plea of guilty to charges of wire fraud, unauthorized use of an access device (debit card), and aggravated identity theft. U.S. District Judge Donald C. Middlebrooks sentenced Theodore to 175 months’ imprisonment, to be followed by three years of supervised release. The Court also ordered $631,000 in restitution. According to statements made and documents filed during his guilty plea on April 6, 2011, Theodore and Albert Andrulonis used co-defendant Mildred Alexis to recruit co-defendant Natasha Orr, an emergency room employee at Holy Cross Hospital, to steal patients’ personal information from emergency room records. Alexis also recruited co-defendant Raushanah Bowleg, who worked for a doctor in Aventura, to steal similar patient information from her employer. Alexis then sold the stolen patient information obtained from Orr and Bowleg to Andrulonis. Alexis shared a portion of proceeds from the sale of the stolen information with Orr and Bowleg. Andrulonis and Theodore used the stolen patient information to gain on-line access to existing accounts and telephone banking services at J.P. Morgan Chase Bank and to make cash withdrawals and purchase money orders through ATM machines. At sentencing, the court held Theodore responsible for a $419,000 loss incurred by Holy Cross Hospital due to the identity theft and a $212,000 loss incurred by J.P. Morgan Chase Bank. The court also found that Theodore was the manager of the operation, that the fraud used sophisticated means, and affected at least 250 victims. Co-defendants Andrulonis, Orr, Alexis, and Bowleg and have all either pled guilty or are awaiting sentence. On June 7, 2011, Andrulonis, 27, of Davie, was sentenced to 132 months’ imprisonment, to be followed by three years of supervised release and the payment of $300,000 in restitution. On April 15, 2011, Orr was sentenced to 24 months in prison, to be followed by 3 years of supervised release. On May 25, 2011, Alexis was sentenced to 40 months in prison, to be followed by 3 years of supervised release. On May 27, 2011, Bowleg, 30 of Miami, pled guilty to wrongful disclosure of individually identifiable health information. Sentencing is scheduled for August 15, 2011. Source: United States Attorney’s Office for the Southern District of Florida. [Previous coverage on PHIPprivacy.net here. ] According to the complaint and the stipulation of facts filed, the unnamed doctor whose patient files were also stolen was Dr. Elliot Stein of Aventura. Investigators found typed lists with  his patients’ names, addresses, Social Security numbers, dates of birth, and specific health information.

Former Holy Cross Hospital employee sentenced to prison for disclosing patient information

Natasha Lolita Orr, 36, of Miami, a former employee at Holy Cross Hospital, was sentenced today after previously pleading guilty to disclosing individually identifiable health information. During the previous plea hearing, Orr admitted to stealing patient information from the Holy Cross Hospital Emergency Room during her employment at the hospital. She then sold that stolen information to co-conspirators who used the patients’ information to fraudulently obtain bank account information in the names of the patients and obtain debit cards in the patients’ names. Orr was sentenced to 24 months in prison, including 12 months of home confinement, to be followed by 3 years of supervised release. Co defendants Jimmy Lee Theodore, 27 of Miami, Albert Andrulonis, 27 of Davie, and Mildred Conception Alexis, 42 of Miami, all pled guilty and are awaiting sentencing. Co-defendant Raushanah Bowleg, 30, of Miami, is scheduled to go trial on May 31, 2011. Previous coverage of this case on PHIprivacy.net Source: U.S. Attorney’s Office, Southern District of Florida

Former Holy Cross Hospital employee sentenced to prison for disclosing patient information

Natasha Lolita Orr, 36, of Miami, a former employee at Holy Cross Hospital, was sentenced today after previously pleading guilty to disclosing individually identifiable health information. During the previous plea hearing, Orr admitted to stealing patient information from the Holy Cross Hospital Emergency Room during her employment at the hospital. She then sold that stolen information to co-conspirators who used the patients’ information to fraudulently obtain bank account information in the names of the patients and obtain debit cards in the patients’ names. Orr was sentenced to 24 months in prison, including 12 months of home confinement, to be followed by 3 years of supervised release. Co defendants Jimmy Lee Theodore, 27 of Miami, Albert Andrulonis, 27 of Davie, and Mildred Conception Alexis, 42 of Miami, all pled guilty and are awaiting sentencing. Co-defendant Raushanah Bowleg, 30, of Miami, is scheduled to go trial on May 31, 2011. Previous coverage of this case on PHIprivacy.net Source: U.S. Attorney’s Office, Southern District of Florida