Two University of Miami Hospital employees were fired after admitting they accessed sensitive patient information without authorization.
The former employees, who have not been identified, perused records that included addresses, birth dates, policy numbers and reasons for hospital visits. Although Social Security numbers were not among the details privy to the former employees, some insurance companies use them as policy numbers. No medical records or test results were compromised.
The hospital said the fired workers gleaned the information from registration "face sheets" and may have sold it to a third party.
The statement said law enforcement made the hospital aware of "possible inappropriate activity" on July 18 but asked the medical facility to keep the breach under wraps "to avoid impeding their criminal investigation." The Miami-Dade Police Department investigation is ongoing.
Patients who were treated at UM Hospital between October 2010 and July 2012 may have been affected. Based on state records, the Miami Herald noted, the hospital treats roughly 19,000 patients each year; potentially impacting over 30,000 individuals, each of whom, the hospital said, will receive individual notices. Healthcare IT News reports that the hospital will provide two years of ID theft protection services to those impacted.
They also noted that UM Hospital suffered a separate data breach when information on a flash drive was stolen from a doctor's car.