A ‘rogue’ employee at Miami-Dade’s public hospital network, Jackson Health System, was placed on administrative leave for suspicion of stealing reams of private patient information over the last five years in a scheme that may have compromised more than 24,000 records, according to hospital officials.
Evelina Reid, a hospital unit secretary and Jackson Health employee since 2005, has been placed on administrative leave and stripped of her access to all facilities and records, CEO Carlos Migoya reported on Tuesday in a memo to Miami-Dade commissioners and the hospital system’s board of trustees.
Jennifer Piedra, a Jackson spokeswoman, said the health system “has launched a full investigation” into the breach, which included patient names, birth dates, Social Security numbers and home addresses .
Patients whose personal information may have been stolen will be notified by mail and provided credit-monitoring services at Jackson’s expense, Migoya noted. Patients seeking additional information about the data breach should send an email to firstname.lastname@example.org.
24,188 patient records may have been accessed inappropriately.
The news comes four days after Jackson Health announced the firing of two employees for breaching the private information of New York Giants star player Jason Pierre Paul, whose right index finger was amputated at Jackson Memorial last year and his patient chart leaked to ESPN.
Migoya, who has overseen a financial turnaround at the taxpayer-supported hospital system, noted the harm that such data breaches can cause to Jackson Health and its efforts to attract more patients.
“For Jackson’s transformation to continue succeeding,” he wrote, “we must have an impeccable reputation for respecting the privacy of our patients and their records.”
In the memo, Migoya refers to Reid as “a rogue Jackson employee” and he notes that Jackson Health contacted and is cooperating with police to investigate the alleged theft of patients’ private information, which is protected under federal law through the Health Insurance Portability and Accountability Act or HIPAA.
We must have an impeccable reputation for respecting the privacy of our patients and their records.
Jackson Health CEO Carlos Migoya
According to Jackson Health records, Reid was a secretary for the main operating room. She earned about $33,000 in 2014.
Piedra said a preliminary review revealed that an estimated 24,188 records may have been accessed inappropriately.
Reid has not been fired, and it’s unclear whether Jackson Health administrators are awaiting the results of police and internal investigations to complete termination proceedings.
Migoya noted in the memo to Miami-Dade officials that Jackson Health is in the process of upgrading security for private patient information, and that the hospital system’s estimated 11,000 employees recently completed additional training on patient privacy.
Breaches of private patient information affecting more than 500 people must be reported to the U.S. Department of Health and Human Services, which maintains a list of incidents dating back to 2006. Jackson Health has reported three incidents since 2011, affecting 3,599 people.