The University of Miami Hospital has fired two employees suspected of stealing and possibly selling the personally identifiable information (PII) of patients.
The health system announced the breach last week — the second to occur there this year — and began notifying those affected. A website detailing the incident also was set up.
On Thursday, a hospital spokeswoman declined to provide the number of patients impacted by the theft, in which employees accessed “face sheets” — documents that include names, addresses, dates of birth, insurance policy numbers, the reason for the hospital visit, and the last four digits of patients’ Social Security numbers, according to a letter sent to affected individuals.
Rachel Seeger, a spokeswoman for the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services, told SCMagazine.com on Thursday that the agency had yet to confirm how many patients were affected in the breach.
If breaches affect more than 500 residents of a state, HIPAA-covered entities must notify media outlets serving the affected areas, as well as affected individuals and the Health and Human Services secretary, within 60 days of the breach.
Due to the repeated offenses, HHS will determine what corrective action the hospital has taken to keep future breaches from happening, Seeger said. Firing employees would be one among many steps taken into consideration.
Victims may include those seen between October 2010 and July of this year, hospital officials said. The Miami Herald reported that the facility admits about 19,000 patients a year.
Authorities informed the hospital of suspicious activity on July 18, after which it delayed public notice until September upon request of police to avoid “hindering the criminal investigation,” the letter said. A representative for the Miami-Dade Police Department did not respond to a request for comment.
“This incident has no impact on your care,” said the letter to patients. “University of Miami Hospital computer systems are completely unaffected. Your information remains current and available; no information was altered or deleted. Please be assured we are committed to protecting all information entrusted to us.”
The University of Miami Health System, which is made up of three hospitals, is offering free credit monitoring services to affected individuals for two years through an outside company.
The incident follows a breach at the hospital last November, in which a thief stole a briefcase from a physician’s car, containing a flash drive with the PII of more than 1,000 patients, including their age, gender, diagnosis and treatment data from 2005 to 2011.