U of Miami Hospital breach due to employee foul play

An investigation revealed that two University of Miami Hospital employees were inappropriately accessing patient information from registration “face sheets,” and may have sold the information to a third party.

According to a statement on the provider's website, the face sheets contained basic identifying information, including name, address, date of birth and insurance policy numbers, as well as the reason and service area for the visit.

The Social Security number field was masked to display only the last four digits but some health insurance plans, such as Medicare and Medicaid, use Social Security numbers as insurance policy numbers. Such information was included on the face sheets.

Law enforcement notified the University of Miami Health System on July 18, of possible inappropriate activity at University of Miami Hospital. The authorities insisted that the health system delay a public announcement to avoid impeding their criminal investigation, according to the statement. "As soon as law enforcement authorized us to proceed, we began the notification process."

Only patients who visited a particular facility between October 2010 and July 2012 may be affected by this incident.

The two employees identified as the source of the inappropriate activity admitted improper conduct and were terminated. The investigation remains ongoing by law enforcement.