Hospital Identity Theft Found at Some South Florida Hospitals

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.nbcmiami.com/investigations/Hospital-Identity-Theft-Growing-Amid-South-Florida-Hospitals-197866811.html

Pictures taken in February and March of 2012 show Alci Bonannee and
Chante Mozley, two convicted identity thieves withdrawing cash from
several banks in Broward County.

The federal government says the money came from stolen tax refunds
that belonged to people like Miami resident Joseph Szot.

“When I filed a return, the accountant told me you can’t file because
somebody filed already,” Szot said.

And just how did Bonannee and Mozley get Szot's tax refund? Federal
authorities said it happened while he was a patient at South Miami
Hospital.

The pair is accused of paying respiratory therapist Betty Cole for
patients’ personal information including their social security number.
Internal Revenue Service Special Agent in Charge of the Miami office,
Tony Gonzalez said: “the bad guys that are able to get these social
security numbers are buying them from employees that work at these
hospitals and these medical centers which are sold up to $150 each.”

The breach at South Miami Hospital happened between June of 2011 and
February 2012 and affected 834 patients.

In a statement, Baptist Health which operates South Miami Hospital,
said "the employee was terminated, and efforts are underway to
prosecute this individual to the fullest extent possible."

NBC 6 reached out to that employee, Betty Cole, but she didn't want to
talk to the Team 6 Investigators.

The south Miami case is the latest hospital ID theft to surface in
South Florida. Since 2009, the Department of Health and Human Services
has received reports that hundreds of thousands of patients have been
affected by breaches at hospitals across South Florida. The hospitals
with the largest breaches include Memorial Healthcare System with
111,650 patients affected, the University of Miami Health System with
66,065 people, Mount Sinai Medical Center with 2,600 patients and
Jackson Health System with 2,062 patients.

Although many hospitals have had more breaches, a federal act called
HITECH only requires that medical centers report breaches that affect
more than 500 patients. Gonzalez said they’ve seen a case where
“gentleman who provided a service of taking elders home after being
seen at a hospital, would cut their little tabs off their wristbands
and with the patient number, walk into the hospital, look at the
computer and get a social security number without ever being an
employee of that hospital.”

In April of last year, Memorial Healthcare System in Hollywood
notified about 9,500 patients that two employees were fired because
they may have inappropriately accessed their personal information with
the intent to process fraudulent tax returns. In a statement, Memorial
said it “continues to enhance its security controls and monitoring
systems, limit user access in all physicians’ offices, and has
reinforced the importance of the privacy and confidentiality of
patients’ information with its staff and affiliated physicians’
employees.”

Last year, Jackson North had a breach that affected over 500 patients.
Ed O’Dell, the spokesperson for Jackson Health system says in that
case it “was a volunteer in a patient care area and he was apparently
taking pictures of patient information.”

Since then, Jackson has implemented new rules for volunteers
prohibiting them from using smartphones in patient areas. Linda Quick,
President of the South Florida Hospital and Healthcare Association, a
trade association, said the industry is not immune to breaches. She
told NBC 6: “proportionate to the number of people who are seen in our
member institutions it’s not pervasive in any way.”

Szot doesn't blame South Miami hospital. He said he believes companies
in general should find a way to reduce the risk of security breaches.

“I think corporations use social security numbers too much for
identifying you, putting the information out to too many people,” he
said.

The IRS said hospitals have been cooperating with them to combat
identity theft, a growing crime.

So how can you avoid becoming a victim at a hospital?

Quick said: “you do not have to provide your social security number,
but you do have to provide enough information for you to be
distinguishable from other people.”

A hospital may still require your social security number to verify
coverage if your insurance provider only identifies you that way, but
experts say you should ask questions before handing your number over.

Postal Inspector Blanca Alvarez said, “you don’t always have to give
it, if they ask for it, make sure that there’s a valid reason to
receive it but it doesn’t often have to be given.”

The IRS says identity theft affects many industries, not just
hospitals. According to HHS reports, health insurance companies have
had breaches affecting millions of Floridians.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.