As I was looking for more media coverage on the Florida Hospital breach discussed earlier today, I was surprised to come across a news report from October 2011 that I had missed. I wasn’t surprised that I had missed the news story, but I was surprised by what it claimed. WFTV, which has been all over this breach since the beginning, had reported:
An agent confirmed on Wednesday night that the FBI is investigating the patient records breach at Florida Hospital. Osceola County released new documents Wednesday that show the hospital suspected three employees were selling patient information at least six weeks ago.
The suspects are identified as husband and wife, 35-year-old Dale Munroe and 31-year-old Katrina Munroe, along with 30-year-old April Baker.
Osceola County said it was not able to make arrests because the hospital did not cooperate with the investigation, citing federal HPPA [sic] laws. That means the FBI will have to look further into the matter to see if federal charges will be filed against the three.
The hospital couldn’t cooperate in an investigation involving theft of patient data because of HIPAA? I’d like to see/understand their explanation of this. I have sent an email inquiry to the hospital about certain points raised in WFTV’s coverage.
Read more of this earlier article on WFTV.
I’ve uploaded the complaint in U.S.A. v. Munroe. According to the docket, Munroe was arrested on August 14. The supporting affidavit details how Munroe used his computer access at the Celebration location to quickly scroll through emergency room patients’ records to identify those who had been involved in automobile accidents. The hospital’s network, however, also enabled him to conveniently access the same type of records for emergency room patients at all other Florida Hospital locations. From late 2009 through mid- 2011, Munroe reportedly viewed 763,000 patients’ emergency room records on a summary screen that displayed 10 patients’ records per screen. Of those 763,000 patients, over 12,000 patients’ records were viewed for longer than one second, involved a motor vehicle accident, and/or resulted in the access of additional files. These were the patients that Florida Hospital notified last year. Many patients reported that within days after being seen in the emergency room, they received solicitation calls asking if they needed a referral to a lawyer or chiropractor.
According to the complaint, Munroe provided information to “S.K.,” who allegedly paid him and his wife approximately $10,000 for the information provided. S.K. allegedly then conveyed that information to other(s) who solicited patients for lawyers and chiropractors. The complaint notes that S.K. may be part of an insurance fraud ring involving staged accidents.
Ironically, perhaps, Munroe was not fired for this illegal activity. He was fired in July 2011 after the hospital discovered he improperly accessed the file of a physician who had been killed. After his termination, his wife and a co-worker continued accessing patient records, presumably to provide to S.K. Their role was discovered in August 2011 after an employee received a solicitation call and contacted the hospital to report the leak. The hospital audited access to the relevant records, fired Munroe’s wife and co-worker, and began a more extensive audit of access to ER patient data. It was only then that they uncovered Dale Munroe’s activities.
Munroe has been charged with violation of 42 U.S.C. 1320. So far, no one else has been charged in the case, which is United States of America v. Munroe, 6:12-mj-01378-KRS. Munroe is due back in court on September 14.
One of the things I’d really like to know – and it may take a mainstream journo to follow up on this – if the employee is arrested for selling protected patient info, will the chiropractors and attorneys be charged with receiving stolen info?