More than 1,000 patients at Cedars-Sinai Medical Center had their personal information taken by a former employee in the hospital’s billing department, according to hospital officials who said prosecutors allege that the man used the identities to steal from insurance companies.
The hospital’s chief financial officer warned affected patients in a letter sent last week that their information had been found during a search of the former employee’s home. He urged them to monitor their credit reports and to notify the district attorney’s office if they noticed anything unusual.
The allegations against James Allen Wilson, 44, of Los Angeles mark the latest in a series of privacy breaches at area hospitals, where staffers have been caught peeking at the files of celebrities as well as their co-workers and friends.
In this case, hospital officials said Allen -- who last worked at Cedars-Sinai in March 2007 -- had legitimate access to the patients’ records for billing purposes, but did not have permission to take identifying information home.
So far, investigators have alleged that the scheme netted Wilson at least $69,000, said Jane Robison, a spokeswoman for the Los Angeles County district attorney’s office. But she said the investigation is continuing, and the scope and scale of the alleged theft could grow.
Wilson was arrested Nov. 6 by the Los Angeles County Sheriff’s Department. He has pleaded not guilty to multiple felony charges, including identity theft, insurance fraud and grand theft. He remains in custody on $895,000 bail and is scheduled to be in court Jan. 22. Attempts to reach his attorney Monday were not successful.
Hospitals’ increasing reliance on computerized record-keeping has provided new avenues for identity theft and invasions of medical privacy. As recently as May, a Glendale man was convicted of using the names of hundreds of Los Angeles County and city employees to submit fraudulent claims for diagnostic services amounting to more than a quarter-million dollars.
Cedars-Sinai officials said they are serious about their responsibility to protect patients’ information.
“In this case, it appears the privacy breach was not the result of someone accessing information they should not have accessed, but instead the privacy breach involved an individual illegally using information that he had legitimate access to as part of his job,” Chief Financial Officer Edward Prunchunas wrote in the letter that the hospital provided to The Times.
Prunchunas assured the recipients that there was no immediate indication that their personal information had been used for anything other than fraudulent insurance claims.
He said hospital officials had no knowledge of any illegal activity until alerted recently by prosecutors.
“We are deeply concerned and troubled about any privacy breach, and expect that you will feel similarly,” Prunchunas said. “I would like to personally apologize for the fact that a former employee was apparently involved in this criminal activity.”
Wilson worked in Cedars-Sinai’s workers’ compensation accounts department from January 2003 and until March 2007, when he left the hospital for reasons unrelated to the case, Cedars-Sinai spokeswoman Elise Anderson said. She declined to elaborate, citing the hospital’s obligation to protect employees’ privacy.
Because of the ongoing investigation, district attorney’s officials refused to discuss details of the case against Wilson, including the affected insurance companies.
According to the hospital’s letter, prosecutors told the hospital that Wilson set up a fake laboratory company. He allegedly used the names of actual workers’ compensation beneficiaries to submit claims for services that were never performed at the fictitious lab, the letter said. The insurers sent payments by check to a post office box that Wilson set up, the letter said.
When investigators searched Wilson’s home at the time of his arrest, they found the records of legitimate workers’ compensation claims belonging to 1,005 patients, Anderson said. By Monday, few of those patients had responded to the hospital’s letter. Those who contacted the hospital reported that they had suffered no personal financial losses, Anderson said.
When a patient’s medical records are compromised, it can hurt more than their wallets, experts warn. Victims of this kind of fraud face a greater risk of injury if doctors make treatment decisions based on incorrect information contained in their records. Many employers also demand access to medical records when making hiring, promotion or benefits decisions, according to the nonprofit Patient Privacy Rights Foundation.
The wife of one man who received the letter said they felt doubly victimized, first by the injury on the job and now by the theft of his personal details. She and her husband asked not to be identified because they have both suffered work-related injuries and she is still in the process of seeking compensation for care.
“I never expected it,” he said. “This is one of the best hospitals I have been treated at -- the doctors, the nurses, everybody -- and it’s very sad that an employee would do something like this.”
Cedars-Sinai has faced previous problems with breaches of patient confidentiality.
Hospital spokesman Richard Elbaum told The Times earlier this year that three or four workers are terminated annually for trying to peak at celebrity patients’ records. There are also suspicions that someone at the hospital tipped the celebrity news website TMZ.com to a story on a medication error last year that nearly killed the infant twins of actor Dennis Quaid and his wife, Kimberly, although no one has been charged.
Similar problems have surfaced at one of the hospital’s major competitors, UCLA Medical Center, where at least 165 staff members have been disciplined for improperly accessing the files of more than 1,000 patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.
The allegations in the Wilson case, however, mark a different challenge because he was permitted access to the files as part of his job, Anderson said.
Cedars-Sinai officials said that although they continually reevaluate security procedures, they plan to use the latest breach as another opportunity to review the way the hospital monitors the conduct of employees who have access to patients’ information.
The hospital already uses passwords, security cameras and audits to monitor who has accessed the files, among other methods.
Even more security is in place in the case of high-profile patients, including limits on the employees who can view their records and real-time alerts to signal inappropriate access. If someone gets past those hurdles they will see an on-screen warning: “This patient record is restricted. All accesses are logged and audited. Inappropriate accesses are grounds for disciplinary action and/or dismissal.”