FBI looking at UMC records leak

By Marshall Allen

Saturday, Nov. 21, 2009 | 2 a.m.

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

UMC officials spent Friday determining how they would respond to the Sun’s report that protected patient information allegedly has been sold so ambulance-chasing attorneys can harvest clients.

FBI Special Agent Joseph Dickey said the agency met with officials of the county owned hospital and has begun “evaluating” the unauthorized release of confidential patient records.

Dickey said he could not confirm whether the FBI had officially opened an investigation. The matter appears to violate the federal Health Insurance Portability and Accountability Act, better known as HIPAA, a federal law that guards patient privacy.

“The allegations seem to be very serious,” Dickey said. “Absolutely, they are serious, on a number of fronts. There could be multiple federal laws that are violated.”

He added that this is the first time he has seen such a potential violation in Las Vegas.

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Hospital CEO Kathy Silver said the hospital called Metro, but the case was referred to the FBI.

The county’s response is an about-face for hospital and county officials. Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Commissioner Lawrence Weekly, chairman of the hospital’s board of trustees, told the Sun that he was warned almost two weeks ago by “several credible people” that someone was leaking private patient information to an outside attorney. But Weekly did not report the information to anyone at UMC because he was not familiar with the HIPAA laws — which include penalties of up to $250,000 in fines and 10 years in jail.

The hospital’s alarm bells went off Thursday, when the Sun told Silver that it had obtained, from a source concerned about the security breach, 21 UMC “face sheets,” the documents that provide an overview of each patient case including personal information on the patient and family members, billing details and an overview of injuries.

The documents related to patients who had been injured in traffic accidents on Oct. 31 and Nov. 1. The source did not know how the copies of the face sheets were leaked from the hospital, but said he obtained them through a chain of concerned people in the medical community who were frustrated by the hospital’s lack of response to the HIPAA violations. Face sheets have been leaked from UMC for months, the source said he believes.

Patients and families listed on the face sheets were stunned when they were contacted by the Sun and told of the violation of their privacy.

Cheryl Mayes suffered an eye injury in a car accident Nov. 1 and was rushed to UMC’s trauma center. Both hers and her husband’s personal information was contained in a face sheet that was leaked.

“It’s out of line,” Robert Mayes, her husband, told the Sun. “It’s negligence on the part of the hospital and their administration for the way they handle records.”

Mayes said he was not shocked that someone in these economic times would sell his patient information from the hospital. He said he was disappointed and “a little angry,” but that “it’s just something you deal with.”

Another man whose Social Security number was compromised because his daughter was at the hospital Oct. 31 said he was “shocked” and felt “betrayed” by UMC.

Meanwhile, some medical professionals said they were not surprised by revelations of information leaks at UMC.

“That’s been going on for a long time,” said a nurse who worked in the UMC trauma center.

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

She later heard from other attorneys that they had nurses on the payroll who worked in the trauma department.

“For every referral they get a couple thousand dollars,” the nurse was told.

The nurse said she never told any supervisors because she never knew for certain who was involved. But she said she knew that “somebody was going to get bitten bad with this one. If it’s happening with as much frequency as I’m hearing, it’s going to explode one of these days.”

Phil Pattee, assistant bar counsel for the State Bar of Nevada, said attorneys are not allowed to solicit clients directly and are not allowed to have anyone do so on their behalf. They are also not allowed to split fees with third parties who are not attorneys, he said.

The bar, which licenses attorneys, would be “very interested” if the allegations reported by the Sun are true, Pattee said. Attorneys found guilty of such allegations could be publicly reprimanded, suspended or disbarred, he said.

Perhaps the most galling fallout of the breach was shared Friday by a man whose middle-aged loved one is fighting for life in UMC’s Intensive Care Unit.

He told the Sun that a few days ago a company selling burial insurance left him a message at home. “Protect your loved ones from the burden of paying for your burial,” the message said, guaranteeing acceptance regardless of medical condition. He had never before received such a call, and had not sought such services.

After reading the Sun’s story of the leaked patient information, the man wondered if UMC employees had sold the patient’s personal information to the burial insurance company. He described such behavior by employees as “mercenary.”

“How jaded are they in this whole life and death thing that they feel comfortable making money on whether somebody lives or dies while under their care?” he said.

Sun reporter Richard Serrano contributed to this story.