Since 2009, the Department of Health and Human Services has received reports that hundreds of thousands of patients have been affected by breaches at hospitals across South Florida.Miami resident Joseph Szot says he was victim. NBC 6's Myriam Masihy reports.
Pictures taken in February and March of 2012 show Alci Bonannee and Chante Mozley, two convicted identity thieves, withdrawing cash from several banks in Broward County.
The federal government says the money came from stolen tax refunds that belonged to people like Miami resident Joseph Szot.
“When I filed a return, the accountant told me you can’t file because somebody filed already,” Szot said.
And just how did Bonannee and Mozley get Szot's tax refund? Federal authorities said it happened while he was a patient at South Miami Hospital.
The pair is accused of paying respiratory therapist Betty Cole for patients’ personal information including their social security number. Internal Revenue Service Special Agent in Charge of the Miami office Tony Gonzalez said: "The bad guys that are able to get these social security numbers are buying them from employees that work at these hospitals and these medical centers which are sold up to $150 each."
The breach at South Miami Hospital happened between June of 2011 and February 2012 and affected 834 patients.
In a statement, Baptist Health which operates South Miami Hospital, said "the employee was terminated, and efforts are underway to prosecute this individual to the fullest extent possible."
NBC 6 reached out to that employee, Betty Cole, but she didn't want to talk to the Team 6 Investigators.
The south Miami case is the latest hospital ID theft to surface in South Florida. Since 2009, the Department of Health and Human Services has received reports that hundreds of thousands of patients have been affected by breaches at hospitals across South Florida. The hospitals with the largest breaches include Memorial Healthcare System with 111,650 patients affected, the University of Miami Health System with 66,065 people, Mount Sinai Medical Center with 2,600 patients and Jackson Health System with 2,062 patients.
Although many hospitals have had more breaches, a federal act called HITECH only requires that medical centers report breaches that affect more than 500 patients. Gonzalez said they’ve seen a case where “gentleman who provided a service of taking elders home after being seen at a hospital, would cut their little tabs off their wristbands and with the patient number, walk into the hospital, look at the computer and get a social security number without ever being an employee of that hospital.”
In April of last year, Memorial Healthcare System in Hollywood notified about 9,500 patients that two employees were fired because they may have inappropriately accessed their personal information with the intent to process fraudulent tax returns. In a statement, Memorial said it “continues to enhance its security controls and monitoring systems, limit user access in all physicians’ offices, and has reinforced the importance of the privacy and confidentiality of patients’ information with its staff and affiliated physicians’ employees.”
Last year, Jackson North had a breach that affected over 500 patients. Ed O’Dell, the spokesperson for Jackson Health system says in that case it “was a volunteer in a patient care area and he was apparently taking pictures of patient information.”
Since then, Jackson has implemented new rules for volunteers prohibiting them from using smartphones in patient areas. Linda Quick, President of the South Florida Hospital and Healthcare Association, a trade association, said the industry is not immune to breaches. She told NBC 6: “proportionate to the number of people who are seen in our member institutions, it’s not pervasive in any way.”
Szot doesn't blame South Miami Hospital. He said he believes companies in general should find a way to reduce the risk of security breaches.
“I think corporations use Social Security numbers too much for identifying you, putting the information out to too many people,” he said.
The IRS said hospitals have been cooperating with them to combat identity theft, a growing crime.
So how can you avoid becoming a victim at a hospital?
"You do not have to provide your Social Security number, but you do have to provide enough information for you to be distinguishable from other people," Quick said.
A hospital may still require your social security number to verify coverage if your insurance provider only identifies you that way, but experts say you should ask questions before handing your number over.
"You don’t always have to give it. If they ask for it, make sure that there’s a valid reason to receive it, but it doesn’t often have to be given," Postal Inspector Blanca Alvarez said.
The IRS says identity theft affects many industries, not just hospitals. According to HHS reports, health insurance companies have had breaches affecting millions of Floridians.