Moffitt reviewing 492 patient records in privacy breach

Moffitt Cancer Center is contacting 492 of its patients after learning an employee falsified at least one patient's signature on a consent form for a cancer research study.

Moffitt discovered the falsification July 29, and immediately began looking into the records of 6,464 patients who are enrolled in the 4-year-old research study, called Total Cancer Care. Moffitt fired the employee, who has not been identified.

Moffitt CEO William S. Dalton said the study involved no patient treatment, only reviews of patients' records. Nevertheless, federal patient privacy laws may have been violated.

During a meeting today with the editorial board of The Tampa Tribune, Dalton said Moffitt is investigating how many records were falsified and how the information from those records was used.

He also said all 492 records have been frozen and cannot be accessed by anyone until the investigation is completed.

"I never would have guessed something like this would happen. It did," Dalton said. "We bumped our head."

He said Moffitt is doing everything possible to figure out what happened and make sure it doesn't happen again.

The investigators haven't found any clues to explain why the employee would falsify consents. The employee gave no explanation, saying it had only happened once.

Dalton said he didn't know what the consequences of the incident might be for Moffitt. But he said he hoped the institutions that regulate Moffitt and provide research grants would be impressed by its quick and thorough response to the July 29 discovery.

That response included reporting the incident to the federal Office of Human Research Protections, which conducts ethical oversight of clinical research. It's part of the Institutional Research Board at the University of South Florida.

The research study, Total Cancer Care, is a centerpiece of Moffitt's vision of providing personalized cancer treatment, Dalton said.

It involves the creation of a database of patient treatment histories that doctors could search to find the most effective treatment for their patients.

"It's a very big part of what we do," Dalton said. But for it to work, "we have to have information about hundreds of thousands of patients."

Gathering that information requires following the patients as they are treated, using molecular technology to analyze how their tumors respond to various treatments. Researchers also would need to contact the patients after their treatment, and that requires Moffitt to obtain their consent.

Moffitt assigned seven people, called consenters, to interview new patients about the project. The process involves showing patients a video, having them fill out a questionnaire and obtaining a signed agreement from those who choose to participate.

On July 29, a Moffitt employee visited a patient who appeared to have signed a consent form and discovered the patient's signature had been forged. The employee reported the breach, and Moffitt officials immediately confronted the consenter on the case.

Under questioning, the consenter admitted to the forgery but denied having done it before. Moffitt hired the auditing firm Ernst & Young to assess the situation.

Moffitt also brought in a forensic handwriting specialist to study the signatures of all 6,464 patients who had signed consent forms.

The specialist found reason to question 492 forms.

Moffitt has called and sent letters to all 492 patients, Dalton said. He knows of only one response, and in that case, the patient confirmed having signed the form. That indicates the problem could be limited, Dalton said.

Whether privacy laws were violated depends on how many consents were falsified and whether someone looked into patient files and found data protected by federal privacy laws. This includes anything that would reveal the identity of the patient.

"We don't want to use data patients don't know we're using," Dalton said. But he also said investigators had found nothing to indicate any privacy violation.

With most database inquiries, he said, the doctor wouldn't seek patients' personal information. The doctors mostly want to know how their tumors responded to treatment.

Though officials think the damage from the breach is likely minimal, they've developed a plan to ensure it doesn't happen again.

One measure will be to send consenting patients a card in the mail to ensure they know they've been enrolled in the project - and to give them a chance to withdraw if they wish.

Moffitt has also created a computer portal that patients can use to see their own records, including treatment histories and recommendations for the future.

One question Dalton and others haven't been able to answer is why this happened.

The consenters received nothing extra for enrolling a number of patients. The fired employee had cleared background checks. There was no pattern among the 492 suspicious cases.

Said Dalton, "I'm still struggling with what the motive could be."