Published Friday, Nov. 20, 2009 | 2 a.m.
Updated Friday, Nov. 20, 2009 | 10:23 a.m.
Contact the Sun
- Accident patients who have been treated at UMC and contacted by legal representatives are invited to contact reporter Marshall Allen at 259-2330 or email@example.com.
Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.
Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.
Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun. Now they’re scrambling to catch up to a crisis that may affect hundreds, if not thousands, of patients.
Selling — or even giving away — such information would violate federal patient-privacy laws and could result in fines and prison time.
Rory Reid, chairman of the Clark County Commission and one of the overseers of University Medical Center, this morning called on hospital officials to involve Metro police in their investigation.
"I've just called (UMC Chief Kathy Silver) and demanded a full investigation," Reid said. "If somebody is taking patient information and providing it to someone and selling it - that's a criminal offense and we need to know how widespread it is."
Reid also said the hospital needs to notify whatever patients might be affected by the leaked information, which includes names, social security numbers and birthdates — anything an identify thief would need.
Reid said that any hospital employee caught sharing private information "should be prosecuted to the full extent of the law."
News of apparent leaks triggers the latest scandal at a flagging public hospital dogged by financial losses, mismanagement and graft.
The spouse of a patient whose privacy was breached told the Sun that it makes her unwilling to return to UMC. “It’s disturbing because you’re not safe,” she said.
UMC is the area’s only level one trauma center, so it draws the majority of Clark County’s seriously injured traffic accident victims. Learning the names of and personal information about these patients would be a boon for personal injury attorneys on the prowl for clients who could win payouts from insurance companies.
Going on for months?
Kathy Silver, chief executive of the hospital, said Thursday in an interview with the Sun that she heard rumors about information being leaked from the trauma center early this summer. She said a source put her in touch with a local chiropractor, who shared with her the rumor that attorneys were illegally gaining access to patient information. She did a cursory investigation of the attorneys who had requested medical records, but she and the chiropractor agreed that nothing seemed unusual.
The chiropractor called her back about three weeks ago, but after she called him back the two never got in touch.
“I thought it was a nonissue,” Silver said.
Then this week, Dr. John Ellerton, UMC’s chief of staff, told her the medical community is abuzz with rumors that patient “face sheets” — cover sheets that provide an overview of each case — were being illegally sent from the hospital to attorneys, Silver said. At the same time, the Sun was calling county commissioners asking about the alleged leak, and the newspaper’s inquiries made their way back to Silver.
Silver said she was not even sure there was a leak until the Sun reporter informed her Thursday that 21 patient records, dated Oct. 31 and Nov. 1, had been provided to the newspaper by a source as evidence of the leak.
It is not known how many patient records have been printed from hospital computers and distributed to outsiders. But the source told the Sun it’s believed to have been going on for months.
Other information contained in the documents includes each patient’s address, employer, insurance information and details of the accident and injuries.
“Wow,” Silver said upon learning about the actual leak of information.
The source who provided the face sheets to the Sun is several degrees removed from the leak at UMC and did not know exactly where the documents came from. Many people knew about the leak and had tried to tell the hospital’s administrators, the source said, but no one had taken any action.
People in the medical community had also informed Clark County Commissioners — who make up the hospital’s board of trustees — about the leak, the source said.
County Commissioner Lawrence Weekly, who serves as chairman of the UMC board of trustees, told the Sun that he heard of the alleged breach from more than one reliable source about 10 days ago. He said he was told that representatives of law firms were approaching car accident victims even while they were in the hospital. He had not talked to the hospital about it because he was not sure if it was illegal for private patient information to leave the hospital.
“I’m not sure of the legality of that but to me it sounds inappropriate based on my knowledge,” Weekly said.
Weekly said he was doing his own research on the allegation before telling anyone at the hospital.
“I didn’t want to stir the pot up 100 percent until I had the opportunity to ask some folks,” Weekly said.
Such transgressions are serious violations of the Health Insurance Portability and Accountability Act, better known as HIPAA, a federal law that guards patient privacy in health care facilities. Joy Pritts, an associate professor at the Institute for Healthcare Research and Policy at Georgetown University, said the allegations about UMC, if true, would represent “outrageous conduct.”
“The individual who is committing it is probably in criminal violation of HIPAA,” Pritts said. “They could be looking at jail time. And I’m not kidding.”
A person rushed to the emergency room is at his most vulnerable, with no choice about where he’s treated or who provides his care, said Pritts, who helped write the HIPAA laws. For a patient’s personal information to be sold as a commodity is ridiculous and offensive, she said.
“The motivations for doing this have nothing to do with treating the patient,” Pritts said. “This is all motivated by money.”
HIPAA violations can be investigated by the county district attorney, the state attorney general’s office or the United States Attorney’s office, Pritts said. Congress increased the penalties for HIPAA violations, effective at the end of November. A person who violates a patient’s privacy with the intent to sell information can be fined up to $250,000 and imprisoned for up to 10 years.
The wife of one patient whose information was forwarded to the Sun said her husband was at fault in the accident that sent him to the hospital, and they have not received any calls from attorneys. She was disturbed to be informed by the media that her information had been compromised and expressed concern about identity theft.
“You just want to know: How far did they get?” she said. “Has anyone received it who wants to do something with that information other than represent me as a lawyer?”
The Sun gave her the number of Silver, the hospital CEO, and the two talked on the phone.
After Silver spoke with the woman whose information had been compromised, Silver told the Sun that she was considering calling on Metro Police to investigate the matter.
Past legal trouble at UMC
A police probe would be nothing new at UMC. The hospital’s former CEO, Lacy Thomas, is facing a criminal trial for allegedly handing out no-work contracts to his cronies in Chicago. And members of the facilities department have been arrested for allegedly using hospital materials and manpower to run their own side businesses.
Silver said there have been other recent breaches with patient information. A UMC transplant coordinator was fired after leaving a laptop loaded with patient information in her car, which was stolen. And the company that provides in-house doctors to UMC had to notify patients and monitor their credit after a package that contained their personal information was stolen and later discovered in downtown Chicago.
The Sun faxed two of the patient face sheets to UMC and Silver said they are documents created during the registration process. She said there are several clues that will help with the investigation to determine who is leaking the information.
“There’s some source within our system,” Silver said. “Finding that source is going to be our challenge.”
Copyright Nov. 20, 2009, Las Vegas Sun