Recently, a federal judge granted class action status to a civil suit filed against Triad of Alabama, the previous owner of Flowers Hospital in Dothan, Alabama—where, in 2014, a former phlebotomist was convicted of felony identity theft and sentenced to two years in prison after numerous patient records were discovered in his possession. The lawsuit only names five plaintiffs, but it alleges that “others similarly situated” could total in the thousands. Currently, neither the Defendant or Plaintiffs are able to put a number to how many patient’s personal records were removed from the hospital, but the former employee was able to use stolen information to file as many as 124 fraudulent federal tax returns in 2012 and 2013.
And yet another recent case involves Jackson Health System, a healthcare organization serving the Miami-Dade area, where a past employee is accused of stealing “reams” of printed patient information between 2012 and 2016. The woman’s arrest was part of a large scale bust by the Florida Identity Theft Refund Fraud Strike Force, a group of law enforcement personnel formed in 2012 to combat tax refund scams. Over 100 suspected fraudsters and scam artists were charged in the action, and federal officials claimed that, together, they were attempting to steal more than $60 million from unsuspecting individuals. The operation prompted then-U.S. Attorney Wifredo Ferrer to declare South Florida the “epicenter of identity theft”—commenting further that hospitals and other large institutions needed to do a better job of protecting people’s personal information from would-be identity thieves.
In another recent story involving hospital records and stolen identities, two women working at a New Haven, Connecticut hospital would allegedly target patients (possibly as many as twenty individuals) who were older or terminally ill—stealing their social security numbers, taking control of their finances and even purchasing life insurance policies with the two women listed as the beneficiaries.
Events such as these certainly bring into question the security of patient’s personal information— a topic I touched on not too long ago in a blog that made the bold statement, 2016: the year hospitals got hacked. Has anything changed so far in 2017, or is this going to be another record year for compromised corporate and healthcare data? For some, this signals that criminals have finally caught up en masse with superficial security measures, and data protection is due for a massive overhaul if we are to stay ahead. Yet others point to the possibility that far too many employees at far too low a level of authority have access to such information. Neither is an appealing explanation, nor an easy fix. Unfortunately, most indicators hint that such problems will only become more prevalent as identity theft becomes more pervasive.
Both an Emory School of Law graduate and MBA graduate of Goizueta Business School at Emory, Chris Nace focuses his practice on areas of medical malpractice, drug and product liability, motor vehicle accidents, wrongful death, employment discrimination and other negligence and personal injury matters.