The arrest of Dwight McPherson, a former patient admissions representative, was part of an investigation involving the U.S. Postal Inspector, Secret Service and Federal Bureau of Investigation.
Starting in early 2006, McPherson agreed to provide the personal identification information of patients of NewYork-Presbyterian to at least two co-conspirators in return for money, according to an announcement from the U.S. Attorneys office. McPherson knew that these individuals were going to use this information to commit crimes. In connection with the scheme, McPherson accessed approximately 49,841 patient records during a two-year period of time. In December 2007 and early 2008 alone, McPherson sold over 2,000 patient identification records to his co-conspirators in New York. In February 2008, approximately 221 of these records were seized by federal agents in Atlanta, Georgia.
The Associated Press has reported the records in Atlanta were found during an investigation by postal investigators, and McPherson confessed to authorities on April 11. In December or January, McPherson sold 1,000 records for $750 and another batch of unspecified size for $600 a short time later, according to AP. He was arraigned in federal court in Manhattan on April 12. The hospital on April 11 sent the following notice to local media and posted the notice on its Web site on April 15:
A federal investigation and a NewYork-Presbyterian Hospital internal audit have uncovered the theft of personal identity information, including names, phone numbers, and in some cases Social Security numbers, of approximately 40,000 hospital patients at NewYork-Presbyterian Hospital/Weill Cornell Medical Center. We do not believe that any health-related information was included.
All affected patients are being contacted by mail this week and will be directed to a special hotline for further information, as well as to a credit-monitoring agency. Only affected patients will be contacted. Those who are not affected will not receive a letter.
We deeply regret that this has occurred, and we understand the concern that patients may feel. We want to assure our patients that we take this matter very seriously and will take all necessary steps to safeguard their personal information. We have appointed an internal task force to build upon our existing systems and to develop a comprehensive program to prevent potential data theft in the future.
Affected patients being notified are those treated on an inpatient basis during the time of the thefts, according to a hospital spokesperson. The hospital will pay for one year of credit monitoring services.