This article was updated on May 17, 2012 (New text in bold):
Six weeks after Howard University Hospital told more than 34,000 patients that a contractor’s laptop containing their personal health information had been stolen, federal authorities have filed criminal charges against a hospital worker accused of selling people’s medical records.
Charging documents filed in federal court in Washington this week say Laurie Napper, a technician in the surgery department, sold patients’ names, addresses, dates of birth and Medicare numbers from August 2010 until December 2011.
The court papers do not say how much money she received or what the buyer did with the information, and a hospital spokesman did not respond to questions.
Ms. Napper was charged with one count of wrongful disclosure of individually identifiable health information, which carries a sentence of up to 10 years in prison when the violation involves selling the information for money.
In a statement released May 16, Howard officials said they were notifying affected patients whose information may have been compromised as a result of this week’s criminal charges against an an individual they described only as a Howard University Health Sciences employee.
“This incident is not connected to an unauthorized disclosure of patient information from Howard University Hospital, reported Jan. 27, 2012,” officials said in the statement.
“Howard University Health Sciences is committed to providing its patients with the highest level of care,” the statement said. “We regret this incident and are reviewing all aspects of our security related to patient information. We are taking appropriate measures to safeguard the privacy and integrity of patient health information.”
Charging documents state that Ms. Napper was employed by Howard University Hospital, but officials said she was employed in the offices of surgical physicians located on the Howard University campus but not in the hospital itself.
The charges come after Howard officials notified patients that a laptop containing protected health information had been stolen from a contractor’s vehicle.
An attorney representing Ms. Napper said in an email Tuesday that her client’s case has “nothing to do” with a stolen laptop. The attorney, Dani Jahn, assistant federal public defender, declined further comment on the newly filed charges.
Still, the case is an embarrassing setback for the hospital in light of unwanted publicity earlier this year about the laptop theft.
Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, a consumer advocacy group, said both incidents are troubling, but she expressed particular concern about the length of time Ms. Napper is accused of selling patient information. According to prosecutors, the scheme lasted more than a year.
“That the illegal sale of personal information could be allowed to go on for that long strikes me as an indication that the internal auditing practices of the hospital were lacking,” Ms. Givens said.
Howard officials announced the laptop theft in March, saying a contractor had downloaded patients’ files onto a personal laptop in violation of both hospital policy and federal rules.
“We regret this incident and we have already put in new procedures to prevent similar violations in the future,” Larry Warren, the hospital’s chief executive officer, said in announcing the episode.
The data contained on the laptop included Social Security numbers, medical record numbers, discharge dates and diagnosis-related information.
Officials said in a statement that the diagnosis information consisted of medical codes, while “only a minority of cases did the information include written descriptions of a patient’s medical procedures or condition.”
The laptop was password protected, and officials said there was no reason to believe that the thief targeted the laptop or knew what sort of information it contained.
Howard officials also said they reported the laptop theft to all three credit reporting agencies as well as the civil rights division of the U.S. Department of Health and Human Services.
• Jim McElhatton can be reached at jmcelhatton@washingtontimes.com.
Please read our comment policy before commenting.