University Medical Center patients’ personal info sold
Some attorneys are ambulance chasers—a term coined to describer personal injury lawyers who follow ambulances from car wrecks to the hospital so they can shove their business cards into the hands of accident victims. Apparently at University Medical Center, attorneys—and possibly others—can simply buy victims’ information from the Las Vegas hospital’s employees.
Kathy Silver, the hospital’s CEO, admitted to legislators this week that she’s know for three weeks that the names, birth dates and Social Security numbers of at least 21 people who were patients at the UMC October 31 and November 1were sold. Those 21 patients were among 71 to receive services on October 31 and November 1, all of whom may be victims of the privacy breach.
The hospital’s chairman of the board, County Commissioner Lawrence Weekly learned of the data breach at the same time Silver did. When asked why he didn’t take steps after learning of the privacy breach when Silver did, he said he didn’t know selling patients’ information is illegal.
Silver said she’d heard rumors about patient information being sold, but gave it rudimentary investigation and then let it go. Three weeks ago the rumors were confirmed, but patients weren’t notified. The law allows 60 days to make a data breach notification, but The FBI is now investigating the hospital.
Some of the patients learned their information had been bought and sold when they received a call from a reporter at the Las Vegas Sun. An unnamed whistleblower gave the 21 records to the newspaper because of his or her concern about the leak.
Personal information has been flowing from the hospital in a slow, steady stream for several months, and possibly for several years, the source said. If that’s true, the public’s trust and the hospital’s fundraising ability could be eroded in the same way the Colorado River created the Grand Canyon.
Tags: data breach, HIPAA, Kathy Silver, Las Vegas, Lawrence Weekly, UMC, University Medical Center