The University of Miami Hospital (UMH) has begun to notify patients for the second time this year that some of their personal information may be at risk after the health care institution was hit with a data breach in July. According to a letter being sent to patients this month, two employees at the hospital were found “inappropriately accessing” patients’ “face sheets,” documents that give doctors a quick glance at patients’ information.
The employees have been terminated but may have since sold some of the sensitive information, according to information provided to the hospital by local law enforcement on July 18.
That information includes patients’ names, addresses, dates of birth, insurance policy numbers and the reason they visited the hospital. The hospital warns that the last four digits of patients’ Social Security numbers were also on these “fact sheets” and that some insurance plans still use patients’ SSNs as their insurance policy numbers, which are also on the sheets.
According to the letter, the breach affects any patients who may have been seen at the hospital on the Miller School of Medicine campus in Miami between October 2010 and July 2012. Patients who visited other divisions of the hospital offsite, including the Bascom Palmer Eye Institute, Sylvester Comprehensive Cancer Center, Sylvester at Deerfield Beach or Kendall, and UHealth at Plantation, aren’t at risk.
In a move that is becoming practically customary with data breaches, the hospital is offering those affected by the breach with a two-year membership to a credit monitoring service.
There’s no word on how the employees allegedly tried to sell the patients’ information, yet UMH claims they’re looking into the incident and cooperating with law enforcement.
It’s also not known exactly how many patients are implicated in this breach, yet a report from the Miami Herald claims state records indicate the hospital admits around 19,000 patients a year, meaning roughly 30,000 Southern Florida residents could be at risk.
This is the second time this year the hospital has acknowledged its patients have had their information breached. In January the institution revealed a briefcase containing a flash drive with information on 1,219 patients from 2005 to 2011 was stolen from a pathologist’s car. The drive didn’t carry any of the patients’ social security numbers or financial information but did contain their age, gender and other medical information.