North Shore-Long Island Jewish Health System is facing a widening legal battle over allegations that it failed to notify hundreds of patients—including a doctor working at the system—that an identity-theft ring had stolen their unprotected confidential information.
Twelve people have filed a $50 million class-action lawsuit against the system and North Shore University Hospital, where thieves stole physical paper records called “face sheets” and unencrypted digital files that contained patient information such as insurance numbers, Social Security numbers, dates of birth, addresses and medical histories. The thefts occurred “on or before fall 2010 and continuing at least through 2012,” according to the lawsuit.
Plaintiffs' attorney Bonita Zelman, who also represents medical malpractice and police brutality clients, said at least 20 people have contacted her since the 12-plaintiff lawsuit was filed Feb. 5 in Queens County Supreme Court to say they were also victims of ID theft at the 804-bed hospital in Manhassat, N.Y., and were seeking to join the case.
Terence Lynam, spokesman for Great Neck, N.Y.-based North Shore-LIJ, confirmed in an e-mail that two people have been convicted and “multiple” other people have been arrested for operating “a widespread identity theft ring that victimized a number of organizations and about 1,000 individuals throughout the Northeast, including about 200 North Shore University Hospital patients.”
Lynam said no North Shore employees have been charged in the scheme. He also defended how quickly the system notified victims of information theft, despite allegations in the lawsuit that the system should have informed people sooner.
“Any time we were alerted that any of our patients were affected, we sent out letters promptly,” he said. “Some folks have complained that they weren’t notified, and it’s because we didn’t know.”
The victims say the 11-hospital system failed to notify them that their information had been compromised, even as thieves traveled the country opening credit lines and bank accounts in patients’ names, buying iPhones, maxing out patients’ existing credit cards and even filing bogus tax returns using victims’ information.
One of the people suing the health system is Dr. Diane Peterman, who has been employed by North Shore-LIJ for 17 years and was admitted for major surgery as a patient at the system hospital Jan. 23, 2012, the lawsuit says.
Less than two weeks later, police in Arlington, Va., discovered the face sheet from Peterman’s procedure among a cache of documents confiscated during a routine traffic stop there. The health system learned of the discovery Feb. 5, 2012, the lawsuit says, yet North Shore officials waited until March 20 to notify her.
In the meantime, Peterman received a bill from AT&T stating that someone had used her information to open five cell phone accounts and run up $2,292 in charges, damaging her credit rating.
Peterman works as an emergency room physician at the system’s 299-bed Huntington (N.Y.) Hospital, Lynam confirmed.
Lynam declined to comment on whether the stolen files in any of the incidents had been encrypted or adequately protected. But he said the hospital has since taken aggressive steps to strengthen its security protocols, and that no identify thefts had been reported to the hospital in the past 11 months as a result.
The class-action lawsuit seeks to represent anyone who had their personal information stolen from North Shore-LIJ hospitals, alleging that the system was negligent in how it handled paper records and failed to encrypt digital records, despite guarantees in its “Patients’ Bill of Rights,” and then failed to notify affected patients until long after it learned of the thefts.
The plaintiffs are seeking actual financial damages, emotional and mental damages, and $50 million in punitive damages “to deter such future reprehensible conduct and to advance New York state’s strong public policy of ensuring that patients’ privacy rights … are protected.”
More than 21.5 million people nationally have had their medical records compromised since September 2009, according to HHS’ Office of Civil Rights, which compiles and publicly reports breaches involving 500 or more people. The North Shore incident, which the system says involved 200 patients, is not among the breaches on the list.
More than 60,000 breaches of information involving fewer than 500 people have also been reported to the Civil Rights Office, though those notices are not made public.
—with Joseph Conn