Announcement from the University of Miami
An investigation by the University of Miami Health System and Miami-Dade Police has found that two University of Miami Hospital employees were accessing patient information inappropriately and may have sold the information. The two employees were terminated immediately, and the University has taken steps to help patients who could be affected safeguard their personal information. We have no indication that medical records are at risk.
The information was contained on “face sheets,” which are documents related to the patient registration process. Face sheets contain the name, address, date of birth, insurance policy numbers, as well as the reason for the patient’s visit and the service area he or she visited. While social security numbers are masked to display only the last four digits, some health insurance plans, including Medicare and Medicaid, continue to use social security numbers as insurance policy numbers. Such information was included on the face sheets. The face sheets do not contain test results or other detailed patient health care information.
The University of Miami Health System was informed of this breach by police on July 18, 2012, and delayed public notice at their insistence to avoid hindering the criminal investigation. In accordance with state and federal law, the University is notifying patients whose information may have been inappropriately accessed between October 2010 and July 2012. The University also is offering potentially affected patients complimentary credit monitoring protection and has established a website to serve as a primary source of information, as well as a toll-free number for additional questions.
Only patients who visited University of Miami Hospital between October 2010 and July 2012 may be affected by this incident. To reiterate, only patients who visited this specific facility during that time frame are included in the affected population. Patients who were seen ONLY at other University of Miami Health System sites of service (for example, Sylvester Comprehensive Cancer Center, Bascom Palmer Eye Institute, Sylvester at Deerfield Beach or Kendall, UHealth at Plantation, etc.) and NEVER at University of Miami Hospital are NOT affected.
University of Miami Hospital computer systems are completely unaffected by this incident. All patient information remains current and available on these systems.
At the University of Miami Health System we take the privacy and security of our patients’ information very seriously. We continue to review and refine our physical and electronic safeguards to enhance protection of all patient data. We remain committed to cooperating with law enforcement officials as they continue their investigation and, pursuant to the Federal HITECH Breach Notification Rule, we will report this incident to the U.S. Department of Health and Human Services.
Available around the clock, the University’s incident website is www.umhdataincident.med.miami.edu. The toll-free incident line, 877-534-7033, is available from 9 a.m. to 9 p.m. EST Monday through Friday and from 11 a.m. to 8 p.m. EST Saturday and Sunday until Dec. 5, 2012.