University of Miami Hospital Data Incident: July 2012

What happened?

Based on information provided by law enforcement, the University of Miami Health System conducted an investigation into the activity of two University of Miami Hospital employees. The investigation revealed that these two individuals were inappropriately accessing patient information from registration “face sheets” and may have sold the information to a third party. Once discovered, these two employees were terminated immediately.

We have no indication that medical records are at risk. At the University of Miami Health System we take the privacy and security of our patients’ information very seriously. We continue to review and refine our physical and electronic safeguards to enhance protection of patient data and remain committed to cooperating with law enforcement as they continue their investigation.

What information is included on the face sheets?

Face sheets are patient registration related documents that contain basic identifying information, including name, address, date of birth and insurance policy numbers, as well as the reason and service area for the visit. While the social security number field was masked to display only the last four digits, some health insurance plans, such as Medicare and Medicaid, continue to use social security numbers as insurance policy numbers. Such information was included on the face sheets. Face sheets do not contain test results or other patient health care or financial information. We have no indication that medical records are at risk.

Is there any impact on my care?

No. University of Miami Hospital computer systems are completely unaffected by this incident. Your patient information remains current and available on these systems; no information was altered or deleted. We have no indication that medical records are at risk.

When was the University of Miami Health System made aware of the issue?

Law enforcement notified the University of Miami Health System on July 18, 2012, of possible inappropriate activity at University of Miami Hospital.

Why did the University of Miami Health System wait until now to notify the affected population?

Law enforcement officials insisted that we delay a public announcement to avoid impeding their criminal investigation. As soon as law enforcement authorized us to proceed, we began the notification process.

Who may be potentially affected?

Only patients who visited the University of Miami Hospital facility at 1400 N.W. 12th Avenue in Miami between October 2010 and July 2012 may be affected by this incident. Note that only patients who visited this specific facility (formerly known as Cedars Medical Center) are included in the affected population. Patients who have been seen ONLY at other University of Miami Health System sites of service (for example, Sylvester Comprehensive Cancer Center, Bascom Palmer Eye Institute, Sylvester at Deerfield Beach or Kendall, UHealth at Plantation, etc) but NEVER at University of Miami Hospital are NOT affected by this incident..

What action was taken?

The two employees identified as the source of the inappropriate activity admitted improper conduct and were terminated. The investigation remains ongoing by law enforcement. We are reviewing our practices to determine if additional steps are necessary to avoid such incidents in the future.

We fully expect our employees to reflect shared values, including our commitment to deliver high-caliber, compassionate health care while maintaining the privacy and security of our patients’ information. We deeply appreciate being entrusted with your care, and we want to assure you that protecting patient information is a top priority for the University of Miami Health System.

All patients who may have been affected will receive an individual notification letter, mailed to the address provided on their last visit. The letter will contain information regarding credit monitoring services.

How Do I Activate My Two-Year Membership to Experian’s ProtectMyID Elite Online?

Click on this link http://www.protectmyid.com/UM or type it into your Web browser address bar located at the top of the screen (SEE BELOW). The address must be typed EXACTLY as indicated.

DO NOT type http://www.protectmyid.com/UM into a search engine such as Google, Bing, or Yahoo as multiple websites not directly related to the incident may appear.

If further assistance is required, please contact the incident line at 877-534-7033. With your code, you can enroll in this service over the phone. Please note you will be required to verify your identity during this call.

Protect my Id website

Whom should I contact if I have questions?

The website at www.umhdataincident.med.miami.edu is the primary source of information for this incident. The University also has established a toll-free number, 877- 534-7033, that affected individuals may call for additional information. This toll-free incident line is available from 9 a.m. to 9 p.m. EST Monday through Friday, and from 11 a.m. to 8 p.m. EST Saturday and Sunday until January 5, 2013.

If you have additional questions or concerns that are not addressed by the main incident line, you may contact the UM Privacy Office at 866-366-4874 or 305-243-5000, Monday through Friday from 9 a.m. to 4 p.m. EST.

What can I do to protect my credit?

You should obtain a copy of your credit report and review it for fraudulent activity and/or unusual accounts, including credit cards you have not opened or listed addresses that are not yours.

You may order one credit report from each of the three nationwide consumer credit reporting companies by visiting annualcreditreport.com, calling 1-877-322-8228, or completing the Annual Credit Report Request Form and mailing it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You also may print a request form from www.ftc.gov/freereports.

You may individually order your credit report from each of the three consumer credit reporting companies at the same time, or you may order your report from each company one at a time. Since the law allows you to order one free copy of your report from each of the three companies every 12 months, the recommended approach is to order one copy from a different reporting company every four months. This staggered approach will allow you to review and monitor your information free of charge once every four months. For additional information, you may visit the Federal Trade Commission website or the State of Florida Office of the Attorney General Identity Theft Resource and Response Center website.

The contact information for the three nationwide consumer credit reporting companies is:

What is a fraud alert?

A fraud alert is a special message placed for free on your credit report that tells a credit issuer when inquiring about a consumer’s credit that there may be fraud on the account. Before extending new credit, the creditor will call you to confirm that you have applied for such credit. A fraud alert is generally placed on your account for a 90-day period. You can ask that it be reinstated once 90 days have passed, but it is your responsibility to do so.

How do I place a fraud alert on my file?

To place a fraud alert on your file, you may call one of the three consumer credit reporting companies and make the request. The company you call will automatically forward the fraud alert to the other two. Once the fraud alert is placed on your file, you should receive a confirmation letter from all three credit bureaus. This letter also will contain instructions on how to order a free credit report. Once you receive your report, if you feel something is incorrect or suspicious, call the bureau at the phone number provided on the report.

Will a fraud alert interfere with the use of my credit cards or with obtaining new credit?

No, it will not stop you from using your credit cards. However, it may slow the process of obtaining new credit. Since the purpose of the fraud alert is to protect you from someone else establishing credit in your name, creditors will need to re-verify the identity of the person applying for credit.

What is identity theft?

According to the United States Department of Justice, the terms identity theft and identity fraud "refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain."

It is important to remember that a breach of your personal information does not mean you will experience identity theft. You should, however, monitor your credit report and take the other steps referenced above to avoid identity theft.