Johns Hopkins Hospital has experienced a data breach involving more than 10,000 patients, including dozens of patients who have become identity theft victims as a result of the breach.
Donald Bradfield, Senior Counsel for the hospital, sent a letter to the Maryland Attorney General’s office detailing the discovery of the data breach. According to the April 3 letter, law enforcement agencies and identity theft victims who had been patients at the hospital notified Johns Hopkins of the problem in January.
An investigation conducted by local law enforcement, the U.S. Postal Service, the U.S. Secret Service and the Johns Hopkins Corporate Security Department lead to a hospital employee working in patient registration. Investigators believe the employee is part of a Virginia fraudulent driver’s license scheme.
Because of the nature of her job, the worker had access to patients’ names, addresses, phone numbers, birth dates, parents’ names, Social Security numbers, physicians’ names and patients’ insurance information. The suspect used a system that did not include patients’ medical information.
Johns Hopkins created the following three-tiered system to categorize the victims and services offered according to the victims’ identity theft risk:
- 31 individuals confirmed as identity theft victims and Johns Hopkins patients were offered two years of credit monitoring and fraud resolution services, educational material and access to a call center for more information. They are eligible for up to $30,000 of identity theft reimbursements.
- 562 Virginians whose information was accessed by the suspect were offered one year of the above listed services.
- Roughly 10,200 additional patients whose information was accessed by the suspect for what are thought to be routine purposes were not offered any services, but were notified of the data breach and advised to watch their accounts closely.
This is the hospital’s third reported data breach within a two-year period. More than 150,000 records have been compromised because of the hospital’s security lapses.