The biggest HIPAA violation yet?

April 15, 2008
NYC hospital worker charged with stealing and selling info on nearly 50,000 patients

NEW YORK -- A man who worked in the admissions department at a prestigious Manhattan hospital has been charged with stealing and selling information on nearly 50,000 patients.

Dwight McPherson, 38, a former worker at New York-Presbyterian Hospital/Weill Cornell Medical Center, was arrested Friday night, shortly after the hospital announced the security breach.

McPherson was arraigned Saturday in federal court in Manhattan. He is charged with computer fraud, identity document fraud, transmission of stolen property and sale of stolen property. U.S. Magistrate Judge James C. Francis IV ordered McPherson not to leave the New York area before his next scheduled court appearance May 12.

Prosecutors said McPherson exploited his access to the hospital's computer registration system to acquire lists of patient names, phone numbers and Social Security numbers over a two-year period.

Authorities became aware that something was amiss when printouts of patient records were discovered in Atlanta during an investigation by postal inspectors, according to a complaint filed by prosecutors Saturday.

McPherson confessed to a role in the identity-theft scheme when he was interrogated by agents on Friday, an inspector said in the complaint.

McPherson told agents that in 2006 he was approached by someone offering money in exchange for the names, addresses and other identifying information of male patients born between 1950 and 1970. The complaint said McPherson sold a batch of 1,000 records in December or January for $750, and another batch for $600 a short time later.

Prosecutors didn't reveal Saturday who had purchased the data or why, but the court complaint said the buyers intended to use the information "in connection with illegal activity."

McPherson didn't address the charges during his brief court appearance and wouldn't speak to reporters after he was released on bond.

"He is a hardworking, honest man," said his lawyer, Bob Walters.

New York-Presbyterian suspended McPherson in February after being contacted by federal investigators.

Hospital spokeswoman Myrna Manners said Friday evening that none of the stolen data contained private health information, and that the hospital was unaware of any instance where the information had been used to scam individual patients.

The hospital is in the process of contacting thousands of patients, setting up a hot line for them and offering credit monitoring services. It is also examining its procedures to prevent future thefts, Manners said.

Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Courtesy Getty Images -- Kunakorn Rassadornyindee
Courtesy of BigStock -- Copyright: Kasia Bialasiewicz