An identity-theft ring managed to breach emergency-room files at Holy Cross Hospital to steal Social Security numbers and personal details of about 1,500 patients, officials said Wednesday.
Emergency-room employee Natashi Orr was among four people arrested as part of an investigation that began before June, U.S. postal inspectors and prosecutors said.
After federal agents uncovered the scheme, hospital technicians spent months tracking Orr's computer activity but cannot be sure which 1,500 patients she compromised while working there from April 2009 to September. That's when she was fired.
As a precaution, Holy Cross is notifying all 44,000 patients who visited the emergency room during that period, so they can take steps to make sure their identities were not misused, hospital Chief Executive Dr. Patrick Taylor said in a statement.
This is the second major identity-theft case in a South Florida hospital. In 2007, a front-desk coordinator at Cleveland Clinic in Weston was arrested for printing personal details of 1,130 patients to be used on fraudulent medical bills.
At Holy Cross, technicians discovered that Orr, 36, had printed basic computerized forms in patient files containing name, address, birth date, diagnosis and other details, officials said. Raushanah Bowleg, 33, Opa-locka, did the same on his job at an Aventura physician office.
Both were paid for the information by Mildred Alexis, 42, of Miramar. Alexis then sold the ID details to Albert Anthony Andrulonis, 26, of Davie, and Jimmy Lee Theodore, 27, of Pembroke Pines, who used the data to obtain credit cards and bank debit-card accounts to steal money, authorities said.
In the Cleveland Clinic case, the ID-theft ring sold the patient details to a Naples medical firm that used the data to collect $8 million of false billings from Medicare. The hospital employee pleaded guilty and was sentenced to three years' probation including six months of house arrest.
The Holy Cross breach came to light when postal inspectors recovered paper records bearing personal details of 38 patients, Taylor said. Hospital technicians tracked the employee's computer activity to learn she had accessed 1,500 files, officials said.
The breach only affects patients who came to the emergency room, not other departments, Taylor said. Officials do not believe the woman compromised the hospital computer system, but rather just stole the printouts.
Holy Cross officials said they hoped the breach would not undermine patients' trust in the hospital's information security. The hospital responded by blocking patient ID details from being included when someone prints forms, officials said.
"While it may be impossible to absolutely prevent an employee from violating our values and policies for personal gain, we are determined to take all necessary steps to review and strengthen our administrative procedures to ensure that we are providing the highest level of data security possible," Taylor said.
In its letter to the 44,000 patients, the hospital offered one year of free credit-monitoring services from Experian to help them monitor for possible ID theft. A spokeswoman could not say how much that would cost.
Holy Cross also has started a hotline for patients with questions, at 800-388-4301.
Inspectors arrested four of the five, with Theodore still at large. The charges — mail, wire and bank fraud — carry penalties up to 20 years in prison per count, with up to 10 additional years for each count of disclosing individual health information.