FBI probing UMC data leaks

The FBI is investigating claims that sensitive patient information was leaked from University Medical Center, violating federal privacy laws.

Hospital officials suspect at least one employee sold documents with confidential data about accident victims to local attorneys who could use it to solicit business from these patients.

"We're trying to find out how widespread it is," hospital spokesman Rick Plummer said, noting that the FBI investigation began Friday morning. "It goes against everything we stand for. Whatever attorney's office this went to should be very nervous."

Those who flout the federal Health Insurance Portability and Accountability Act, also known as HIPAA, face a possible $250,000 fine and 10 years in prison for each offense.

The State Bar of Nevada has received no complaints about attorneys inappropriately receiving or using UMC patient information, spokesman Phil Pattee said.

But Pattee said a combination of ethics rules prohibits lawyers from engaging in the kind of activity alleged in the UMC case.

"Essentially you cannot give nonlawyers anything of value for referring a client to you," he said.

While lawyers are allowed to advertise, they are not allowed to solicit business directly from prospective clients, although there are exceptions, Pattee said.

Because federal laws might have been broken, local authorities probably won't get involved, said Bill Cassell, a spokesman for the Metropolitan Police Department.

The U.S. Attorney's office will handle the case if an arrest is made, according to an official in the district attorney's office.

Daniel Bogden, the U.S. attorney for Nevada, said he could neither confirm nor deny that a matter is under investigation.

But he said he is not aware of any past federal prosecutions in Nevada involving HIPAA violations.

UMC is a county hospital with a trauma center that handles a high volume of patients who have been in car wrecks.

An unnamed tipster showed a Las Vegas Sun reporter "face sheets" containing personal data on accident victims, including birth dates, Social Security numbers and injuries, Plummer confirmed. The newspaper informed the hospital's chief executive Kathy Silver, who said she had heard rumors about leaks months before.

Silver declined to comment Friday.

Clark County Commissioner Rory Reid said he told both Silver and the county manager to launch an investigation. The hospital must prevent further breaches of privacy and notify the patients whose personal information was disclosed, Reid said. The county also should do an internal audit to help pinpoint the leaks, he said.

This is the latest blow to a hospital struggling to improve its finances and image. UMC's deficit ballooned to more than $80 million this year and is expected to remain deep in the red next year.

Lacy Thomas, the hospital's former chief executive, was fired nearly three years ago amid allegations that he mismanaged funds and funneled lucrative contracts to Chicago friends who did no work in return.

Commissioner Lawrence Weekly, who sits on UMC's board of trustees, said he was upset that the hospital suffered a setback in regaining the public's trust. The leaks unfairly blemish the hospital employees who are honest and dedicated to helping patients, he said.

"It's frustrating and it's disheartening," Weekly said. "This kind of nonsense is unacceptable."

Review-Journal writer Carri Geer Thevenot contributed to this report. Contact reporter Scott Wyland at swyland@reviewjournal.com or 702-455-4519.