Bankruptcy Filings A Treasure Trove for Identity Thieves



A case against Raleigh-based WakeMed is just the latest showing healthcare firms violating patient privacy as they pursue unpaid bills.

It is a sad statistic: illness is one of the leading causes of personal bankruptcy in the United States. But a report out of WRAL in Raleigh, North Carolina, suggests that healthcare firms may be adding insult to the injury of bankruptcy: dumping personally identifiable data into court filings that then become part of the public record.

In pursing claims of unpaid medical bills against current and former patients, the North Carolina firm WakeMed included the names, Social Security Numbers, household addresses, medical record information and even the names of covered minors with supporting documents filed in bankruptcy court. WakeMed is now being sued by attorneys representing those patients, who note that the organization violated bankruptcy laws and may have violated other regulations, including HIPAA, the healthcare privacy act.

According to WRAL’s report, the issue came to light as attorneys representing patients were reviewing bankruptcy court filings posted on the court’s electronic filing system, known as PACER (Public Access to Court Electronic Records). Cort Walker, a bankruptcy and civil business litigation attorney at Sasser Law Firm, told WRAL that he was getting ready to challenge a proof of claim for medical services from WakeMed when he noticed personal information about his clients had been included in the records the hospital had submitted to bolster its case.

Federal bankruptcy law requires that personally identifiable information like date of birth, Social Security Number, financial account numbers and the names of others individuals who are not the debtor be redacted from filings, unless a court says otherwise.

Still, attorneys at Sasser found 158 cases involving just its clients dating back to 2013 where WakeMed violated federal bankruptcy code by including Social Security numbers, full dates of birth and medical records. The filed a motion for contempt, sanctions and damages against WakeMed, citing North Carolina’s Identity Theft Protection Act and the state’s Unfair and Deceptive Trade Practices Act. The attorneys have also indicated they may file a claim with the Office for Civil Rights, which applies the Federal HIPAA patient privacy laws.

In a statement, WakeMed said it is “in the process of investigating” the incident and has moved to block access to WakeMed proof of claim forms filed on PACER.

The case against WakeMed isn’t the first time that bankruptcy filings have been fingered as a storehouse of potentially damaging personal and financial information. In 2012, Duke University Health System informed patients who had sought Chapter 13 bankruptcy protection staff that a third party billing firm accidentally attached copies of outstanding billing statement(s) for services provided by its facilities and physicians to support proofs of claim filed in Chapter 13 bankruptcy actions by patients of DUHS.

According to Duke University, the billing statement included the patients’ name and address; patients’ and dependents’ internal medical record number, and even a list of services received.

And the U.S. Internal Revenue Service was the target of widespread attacks by identity thieves this year, who used an IRS web filing application and information gleaned from public records to file false claims for more than 600,000 taxpayers.

The IRS has subsequently taken steps to improve the security of its online filing system, but attention to inadvertent data leaks that result from the actions of third parties is a major concern for organizations, especially in regulated industries such as healthcare.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Paul Roberts

Please post your comments here

Dan Geer: The 5 Myths Holding Your Security Program Back

Use this eBook to find out if any of these myths are hurting your security program.

Download now

Related Articles
The $2M USB Drive: 2011 Incident Costs Insurance Firm Dearly

A HIPAA fine for the Puerto Rican firm MAPFRE cites the firm for not following through on fixes after a USB drive containing customer information was stolen. The cost: $2.2 million.

Digital Guardian Adds Functionality to Data Protection Suite

Digital Guardian is pleased to announce the release of the latest version of our industry leading data protection platform, adding functionality for both the management console and endpoint agent. This release further enhances Digital Guardian’s ability to protect sensitive data anywhere, anytime as the volume of sensitive data expands and the digital economy's reliance on data grows.

Building a Data-Centric Security Architecture from the Ground Up: A Customer Story

Establishing a data protection program doesn't have to be a long or tedious process - here's the story of a customer who was able to quickly build a data security program based on three key initiatives.