The university is not saying how many patients were affected, but will have to report that number to the HHS Office for Civil Rights and it could be a very large breach. Out of an “abundance of caution,” the university is notifying all patients at the University of Miami Hospital, formerly Cedars Medical Center, from October 2010 to July 2012. The breach does not affect other health system facilities and does not affect any information systems.
Information on face sheets includes names, addresses, dates of birth, insurance policy numbers, and reason for and service area for the visit. “While the Social Security number field was masked to display only the last four digits, some health insurance plans, such as Medicare and Medicaid, continue to use Social Security numbers as insurance policy numbers,” according to a university statement. “Such information was included on the face sheets.”
The university became aware of the breach on July 18 when notified by police. The university is offering affected patients two years of comprehensive credit and identity protection services from Experian.