Terence Lynam, spokesman for Great Neck, N.Y.-based North Shore-LIJ, confirmed in an e-mail that two people have been convicted and “multiple” other people have been arrested for operating “a widespread identity theft ring that victimized a number of organizations and about 1,000 individuals throughout the Northeast, including about 200 North Shore University Hospital patients.”
Lynam said that no North Shore employees have been charged in the scheme. But he defended how quickly the system notified victims of information theft, despite allegations in the lawsuit that the system should have informed people sooner.
“Any time we were alerted that any of our patients were affected, we sent out letters promptly,” he said. “Some folks have complained that they weren't notified, and it's because we didn't know.”
The victims say the 11-hospital system failed to notify them that their information had been compromised, even as thieves traveled the country opening credit lines and bank accounts in patients' names, buying iPhones, maxing out patients' existing credit cards and even filing bogus tax returns using victims' information.
One of the people suing the health system is Dr. Diane Peterman, who has been employed by North Shore-LIJ for 17 years and was admitted for major surgery as a patient at a system hospital on Jan. 23, 2012, the lawsuit says.
Less than two weeks later, police in Arlington, Va., discovered the face sheet from Peterman's procedure among a cache of documents confiscated during a routine traffic stop there. The health system learned of the discovery on Feb. 5, 2012, the lawsuit says, yet North Shore officials waited until March 20 to notify her.
In the meantime, Peterman received a bill from AT&T stating that someone had used her information to open five cell phone accounts and run up $2,292 in charges, damaging her credit rating.
Peterman works as an emergency room physician at the system's 299-bed Huntington (N.Y.) Hospital, Lynam confirmed.
Lynam declined to comment on whether the stolen files in any of the incidents had been encrypted or adequately protected. But he said the hospital has since taken aggressive steps to strengthen its security protocols, and that no identify thefts had been reported to the hospital in the past 11 months as a result.
The class-action lawsuit seeks to represent anyone who had their personal information stolen from North Shore-LIJ hospitals, alleging that the system was negligent in how it handled paper records and failed to encrypt digital records, despite guarantees in its “Patients' Bill of Rights,” and then failed to notify affected patients until long after it learned of the thefts.
The plaintiffs are seeking actual financial damages, emotional and mental damages, and $50 million in punitive damages “to deter such future reprehensible conduct and to advance New York state's strong public policy of ensuring that patients' privacy rights … are protected.”
More than 21.5 million people have had their medical records compromised since September 2009, according to HHS' Office of Civil Rights, which compiles and publicly reports breaches involving 500 or more people. The North Shore incident, which the system says involved 200 patients, is not among the breaches on the list.
Another 60,000 breaches of information involving fewer than 500 people have been reported to the Civil Rights Office, though those records are not made public.
Reporter Joseph Conn contributed to this report