University Hospital Cleveland patient information
The employee, who has been dismissed, breached the hospital system's electronic medical records, allowing the person to gain names, home addresses, phone numbers, email addresses, medical and health-insurance account numbers and other patient information, UH said. The electronic medical records also provide information on patients' office visits.
The employee also viewed information on some patients' Social Security numbers and personal financial account information, including credit card and debit card numbers.
"This sounds like a very serious case of medical identity theft, '' said Pam Dixon, the executive director of the World Privacy Forum, a nonprofit research group that focuses on privacy issues. "It is serious when it involves one patient. This is a major breach. It's a big deal. It is no small thing.''
A spokeswoman for the hospital system, Alicia Reale, said it appears the employee simply was snooping, as it is not aware of any fraud or identity theft involving patients. She said the hospital has mailed letters to the 692 patients involved.
Reale would not discuss anything about the employee, including where the person worked or the person's job title. She said the information on the case has been turned over to law enforcement authorities.
The hospital system said it first detected something wrong when it looked into an allegation of unauthorized access to its medical system. University Hospitals discovered Oct. 2 that the access occurred from Jan. 25, 2011, through June 27.
Dixon said it could take up to two years before it is clear whether there is any fraud. She said in many cases data that is gained improperly is later sold to identity theft rings, who use it to pummel a person's finances.
She said medical identity theft became a trend in the mid 2000s, but it has become much worse in the past few years.
"Usually, in a case with this many people involved, there is more to it than just snooping, '' Dixon said.
The hospital system said it has "notified all individuals whose information was part of the incident and established a dedicated information line to provide personal consultation.''
University Hospitals said it also has sought out industry experts to examine the circumstances involving the breach of information.
It said it would provide one year of free credit monitoring and identity theft protection to anyone whose Social Security numbers may have been accessed. It also said it would add more audits "to minimize the risk of a similar incident in the future.''
"UH takes the protection of patient health information very seriously, '' the hospital system said in a statement Friday. "UH continually evaluates and modifies its practices to enhance the security and privacy of its patients' information, including the ongoing training, education and counseling of its workforce regarding patient privacy matters.''