Imagine having your personal and medical information stolen not once, but twice. It happened to a VCU Health System patient. And it was an inside job.
“It’s extremely frustrating,” said that patient, who WRIC is not identifying. “You live in that fear, will my money be taken, will accounts be opened up in my name?”
The news of the security breach came in a letter. It stated her “clinical information, name, social security number, diagnosis and medications” had been inappropriately accessed by an employee.
The letter also stated it had been going on for nearly two years. VCU became aware of it February 1. However, the letter dated March 21, didn’t get to the patient until March 29.
“I think it is way too long,” she said, suggesting VCU should have alerted her immediately.
“I think it needs to be brought to everyone’s attention,” said the patient.
VCU declined an interview with 8News, but in a statement, explained that they did adhere to the Department of Health and Human Services mandates, which requires notifying the patient affected by a breach within 60 days.
Still, the patient told us, “As for VCU, I am very disappointed.”
She says that’s because it’s the second time in five years her personal and private information has been compromised at VCU Health System. She says VCU refused to tell her where it happened.
She’s visited the ER, sees a surgeon at VCU and frequents a VCU dentist. She would like to know which office it occurred in.
She says the questions internal controls and security measures the VCU Health System has in place.
“I have been connected with other hospitals, Bon Secours and HCA, and never once been breached with them. She tells us she’s thinking twice about whether she will continue to get care there.
“Is it worth it?” she asked.
VCU Health System sent this statement to WRIC:
“VCU Health System is committed to our patients’ safety, health and well-being, which includes safeguarding their private information. We cannot discuss the details of any individual patient or their private information, nor confirm if a person is a patient, without their full consent.
VCU Health System takes numerous steps to actively protect our patients’ private information. For example, our policies expressly prohibit access of any patient information without a legitimate business need, and employees are routinely trained on the importance of privacy and confidentiality. We utilize established best practices, including use of access-monitoring technology to track access to patient information in our electronic systems, as well as pre-set alerts to notify us immediately about access that looks suspicious. When suspicious access of patient information is identified, VCU Health System promptly investigates and disciplines those who violate our policies. Taking these types of access breaches seriously, discipline often includes suspension or termination.
VCU Health System also adheres to the Department of Health and Human Services’ Office for Civil Rights mandates, which include:
1. Notifying the patient that is affected by a breach within 60 days
2. Notifying the media if the breach affects 500 or more patients
When a patient is notified of inappropriate access, it is done as soon as possible. VCU Health System often offers free credit monitoring to patients – even if the breach investigation reveals no evidence of identity theft or malicious intent – as an added precaution for our patients. VCU Health also provides patients contact information in the event they have questions about the breach.
VCU Health System is committed to reporting inappropriate accesses to its patient and the Office for Civil Rights, as well as taking steps to mitigate its effects and limiting future occurrences.”
Richmond attorney Drew Sarrett, who specializes in identity theft cases, has seen what thieves can do when they get their hands on your personal data.
“You have things from people opening fake bank accounts and writing fake checks, you have account take over,” he explained.
Yet he says there can also be some legal help for victims.
The Virginia Supreme Court has ruled medical providers have a duty to maintain the confidentiality of medical records.
“Wrongfully disclosing information may be grounds for medical malpractice action,” says Sarrett.
In the meantime, Sarrett says the first step for this patient or anyone after learning their personal information has been compromised is to request a copy of their credit report from the three major credit bureaus- Equifax, Experian and Transunion.
“And once you receive those reports go through them carefully to determine if there are any accounts you are not familiar with,” advises Sarrett.
It’s free, and it’s something he says all of us should do annually.
Another helpful tip to prevent identity theft is something you can do right now as long as you’re not currently in the market to buy a car or house: request the credit bureaus freeze your credit.
“I think security freezes are probably one the most effective tools. It means a potential new creditor cannot access your credit report to evaluate you for a new account,” Sarrett said.
VCU has offered free credit monitoring to the patient for one year, but that offers her little comfort.
“They can hold on it for a couple years or they sell it,” says the patient.
Sarrett’s says he’s seen it happen.
“I have had clients who had identify theft ongoing for five- or 10-plus years, and it is really a horrific situation,” he said. “It’s like whack a mole they think they’ve resolved this particular issue and then something else pops up.”
The patient tells us, “I have put a fraud alert on all the credit rating companies. You have to monitor all your accounts, it is pretty scary.”
VCU told WRIC when suspicious access of a patient is identified, they promptly investigate and discipline. The employee in this case no longer works for VCU.
Under the law, VCU doesn’t have to tell patients where or who accessed their data unless they know a fraudulent account has been set up with the stolen information.
You can find more information about identity theft reports in the U.S. here.