More than 1,000 patients at Cedars-Sinai Medical Center had their personal information taken by a former employee in the hospital's billing department, according to hospital officials who said prosecutors allege that the man used the identities to steal from insurance companies.
The hospital's chief financial officer warned affected patients in a letter sent last week that their information had been found during a search of the former employee's home. He urged them to monitor their credit reports and to notify the district attorney's office if they noticed anything unusual.
The allegations against James Allen Wilson, 44, of Los Angeles mark the latest in a series of privacy breaches at area hospitals, where staffers have been caught peeking at the files of celebrities as well as their co-workers and friends.
In this case, hospital officials said Allen -- who last worked at Cedars-Sinai in March 2007 -- had legitimate access to the patients' records for billing purposes, but did not have permission to take identifying information home.
For The Record
Los Angeles Times Thursday, December 25, 2008 Home Edition Main News Part A Page 2 National Desk 1 inches; 53 words Type of Material: Correction
Privacy breach at Cedars-Sinai: An article in Tuesday's California section on a former Cedars-Sinai Medical Center billing worker who allegedly used the identities of patients to defraud insurance companies reported that he was arrested by the Los Angeles County Sheriff's Department. James Allen Wilson was arrested by the district attorney's Bureau of Investigation.
So far, investigators have alleged that the scheme netted Wilson at least $69,000, said Jane Robison, a spokeswoman for the Los Angeles County district attorney's office. But she said the investigation is continuing, and the scope and scale of the alleged theft could grow.
Wilson was arrested Nov. 6 by the Los Angeles County Sheriff's Department. He has pleaded not guilty to multiple felony charges, including identity theft, insurance fraud and grand theft. He remains in custody on $895,000 bail and is scheduled to be in court Jan. 22. Attempts to reach his attorney Monday were not successful.
Hospitals' increasing reliance on computerized record-keeping has provided new avenues for identity theft and invasions of medical privacy. As recently as May, a Glendale man was convicted of using the names of hundreds of Los Angeles County and city employees to submit fraudulent claims for diagnostic services amounting to more than a quarter-million dollars.
Cedars-Sinai officials said they are serious about their responsibility to protect patients' information.
"In this case, it appears the privacy breach was not the result of someone accessing information they should not have accessed, but instead the privacy breach involved an individual illegally using information that he had legitimate access to as part of his job," Chief Financial Officer Edward Prunchunas wrote in the letter that the hospital provided to The Times.
Prunchunas assured the recipients that there was no immediate indication that their personal information had been used for anything other than fraudulent insurance claims.
He said hospital officials had no knowledge of any illegal activity until alerted recently by prosecutors.
"We are deeply concerned and troubled about any privacy breach, and expect that you will feel similarly," Prunchunas said. "I would like to personally apologize for the fact that a former employee was apparently involved in this criminal activity."
Wilson worked in Cedars-Sinai's workers' compensation accounts department from January 2003 and until March 2007, when he left the hospital for reasons unrelated to the case, Cedars-Sinai spokeswoman Elise Anderson said. She declined to elaborate, citing the hospital's obligation to protect employees' privacy.
Because of the ongoing investigation, district attorney's officials refused to discuss details of the case against Wilson, including the affected insurance companies.
According to the hospital's letter, prosecutors told the hospital that Wilson set up a fake laboratory company. He allegedly used the names of actual workers' compensation beneficiaries to submit claims for services that were never performed at the fictitious lab, the letter said. The insurers sent payments by check to a post office box that Wilson set up, the letter said.
When investigators searched Wilson's home at the time of his arrest, they found the records of legitimate workers' compensation claims belonging to 1,005 patients, Anderson said. By Monday, few of those patients had responded to the hospital's letter. Those who contacted the hospital reported that they had suffered no personal financial losses, Anderson said.
When a patient's medical records are compromised, it can hurt more than their wallets, experts warn. Victims of this kind of fraud face a greater risk of injury if doctors make treatment decisions based on incorrect information contained in their records. Many employers also demand access to medical records when making hiring, promotion or benefits decisions, according to the nonprofit Patient Privacy Rights Foundation.
The wife of one man who received the letter said they felt doubly victimized, first by the injury on the job and now by the theft of his personal details. She and her husband asked not to be identified because they have both suffered work-related injuries and she is still in the process of seeking compensation for care.