Bankruptcy Filings A Treasure Trove for Identity Thieves

A case against Raleigh-based WakeMed is just the latest showing healthcare firms violating patient privacy as they pursue unpaid bills.

It is a sad statistic: illness is one of the leading causes of personal bankruptcy in the United States. But a report out of WRAL in Raleigh, North Carolina, suggests that healthcare firms may be adding insult to the injury of bankruptcy: dumping personally identifiable data into court filings that then become part of the public record.

In pursing claims of unpaid medical bills against current and former patients, the North Carolina firm WakeMed included the names, Social Security Numbers, household addresses, medical record information and even the names of covered minors with supporting documents filed in bankruptcy court. WakeMed is now being sued by attorneys representing those patients, who note that the organization violated bankruptcy laws and may have violated other regulations, including HIPAA, the healthcare privacy act.

According to WRAL’s report, the issue came to light as attorneys representing patients were reviewing bankruptcy court filings posted on the court’s electronic filing system, known as PACER (Public Access to Court Electronic Records). Cort Walker, a bankruptcy and civil business litigation attorney at Sasser Law Firm, told WRAL that he was getting ready to challenge a proof of claim for medical services from WakeMed when he noticed personal information about his clients had been included in the records the hospital had submitted to bolster its case.

Federal bankruptcy law requires that personally identifiable information like date of birth, Social Security Number, financial account numbers and the names of others individuals who are not the debtor be redacted from filings, unless a court says otherwise.

Still, attorneys at Sasser found 158 cases involving just its clients dating back to 2013 where WakeMed violated federal bankruptcy code by including Social Security numbers, full dates of birth and medical records. The filed a motion for contempt, sanctions and damages against WakeMed, citing North Carolina’s Identity Theft Protection Act and the state’s Unfair and Deceptive Trade Practices Act. The attorneys have also indicated they may file a claim with the Office for Civil Rights, which applies the Federal HIPAA patient privacy laws.

In a statement, WakeMed said it is “in the process of investigating” the incident and has moved to block access to WakeMed proof of claim forms filed on PACER.

The case against WakeMed isn’t the first time that bankruptcy filings have been fingered as a storehouse of potentially damaging personal and financial information. In 2012, Duke University Health System informed patients who had sought Chapter 13 bankruptcy protection staff that a third party billing firm accidentally attached copies of outstanding billing statement(s) for services provided by its facilities and physicians to support proofs of claim filed in Chapter 13 bankruptcy actions by patients of DUHS.

According to Duke University, the billing statement included the patients’ name and address; patients’ and dependents’ internal medical record number, and even a list of services received.

And the U.S. Internal Revenue Service was the target of widespread attacks by identity thieves this year, who used an IRS web filing application and information gleaned from public records to file false claims for more than 600,000 taxpayers.

The IRS has subsequently taken steps to improve the security of its online filing system, but attention to inadvertent data leaks that result from the actions of third parties is a major concern for organizations, especially in regulated industries such as healthcare.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Paul Roberts

Please post your comments here

Dan Geer: The 5 Myths Holding Your Security Program Back

Use this eBook to find out if any of these myths are hurting your security program.

Download now

Related Articles
The $2M USB Drive: 2011 Incident Costs Insurance Firm Dearly

A HIPAA fine for the Puerto Rican firm MAPFRE cites the firm for not following through on fixes after a USB drive containing customer information was stolen. The cost: $2.2 million.

One Theme Unites Every 2015 Security Predictions List

December is predictions season in the security world. This year, one theme unites just about every “top predictions” list for 2015: more of the same.

Happy Data Privacy Day 2018!

Guess the value of your data on the dark web, get tips to protect your data, and more as we celebrate Data Privacy Day 2018.