Data breach of personal patient info ends in firing of Miami hospital employee
More than 2,000 patients at Jackson Health System had their personal data, including names, address and medical information, accessed in a lengthy breach that spanned nearly five years.
The data breach was conducted by a Jackson employee who accessed the information to promote a personal healthcare business, according to Jackson Health. Miami-Dade’s public hospital system announced the patient data breach Friday afternoon.
Jackson Health says its internal investigation found that the “unauthorized access” to patient records occurred between July 2020 and May 2025. The data breach included “patient names, birth dates, addresses, medical record numbers and clinical details,” but Social Security numbers weren’t compromised, according to the hospital.
“Data breaches are unfortunately all too common in the healthcare industry, where sensitive information is frequently targeted,” Jackson Health said in a statement. ”In this case, Jackson became a victim of an employee who took advantage of his trusted position to access patient information inappropriately.”
Jackson Health spokeswoman Krysten Brenlla declined to answer questions from the Miami Herald on the breach, including at which hospital the breach occurred.
Jackson said the employee who accessed the patient data was “immediately terminated.”
The hospital said it’s “cooperating with law enforcement to investigate any potential criminal violations. Patients affected are being notified.”
Health records are private under a federal law known as HIPAA, or the Health Insurance Portability and Accountability Act.
Miami-Dade Sheriff Office spokesperson Detective Samantha Choon told the Miami Herald on June 11 that a “criminal investigation is currently ongoing,” and no arrest has been made.
The sheriff office said it was notified about the breach on June 3, a few days before Jackson publicly announced the breach. Jackson’s internal investigation began in early May, according to the sheriff office.
Based on the preliminary investigation, it doesn’t appear that other employees were involved in the breach, according to Choon.
The detective, describing the investigation as still being in its early stages, said investigators are trying to determine the employee’s “purpose for accessing patient information” and declined to answer questions about the employee’s business.
“At this time, we cannot release any information that may compromise the investigation,” Choon said.
News of the breach comes just days after an executive with the hospital system’s fundraising arm was arrested on allegations that she pocketed more than $1 million through an almost decade-long kickback scheme.
This isn’t the first time patient records have been breached at Jackson. The U.S. Department of Health and Human Services in 2019 fined the hospital system $2.15 million “over three patient health information breaches, including missing boxes of paper records, an employee leaking information about an NFL player to an ESPN reporter, and another employee stealing and selling other records,” as the Miami Herald has previously reported.
Health-related breaches are on the rise
Healthcare hacks have been on the rise for years, with the country reporting a record-breaking number of breached healthcare records in 2024, according to the HIPAA Journal, which has compiled healthcare data breach statistics for more than a decade. Many breaches are often linked to hacking and ransomware attacks.
The largest 2024 breach involved Change Healthcare, owned by United Healthcare and the largest insurance payer at Jackson, which was hit by a cyberattack that temporarily affected the payment process systems that some hospitals, providers and pharmacies in the country use to process medical claims for payments.
Last year, Florida’s Department of Health also experienced a breach that caused death certificate delays and led to thousands of records, including HIV test results, detailed doctors notes and immunization and virus testing records ending up on the dark web. A ransomware attack also briefly affected not-for-profit blood center OneBlood’s ability to process and deliver blood to hospitals in Florida and much of the southeast.
Jackson Health, in its Friday statement announcing the newest patient data breach, said the health network is “committed to protecting patient privacy and addressing any potential breach with urgency and transparency. “
This story was originally published June 6, 2025 at 4:57 PM.
