“I figured the hospital would be subject to a multi-million dollar HIPAA lawsuit if my hospital records were proven breached—which is exactly what happened.”
—Eric Drew, cancer patient and patient identity theft victim
CEO SUMMARY: Eric Drew’s story may be one of the most amazing to have happened in the modern age of laboratory medicine. It is actually two stories, intertwined. In the first, a patient with the nearly-always fatal diagnosis of acute lymphoblastic lymphoma fights for his life, desperately trying one experimental procedure after another. In the second, an employee of the laboratory in the hospital providing these treatments decides this patient, expected to die sooner rather than later, is the perfect victim for identity theft. What the phlebotomist did not count on was that his crime would actually motivate the victim to fight—both for his life and to see the thief of his identity brought to justice. THE DARK REPORT is presenting this exclusive interview with the victim, Eric Drew, as a way to help laboratories and pathology group practices understand how to improve their defenses against patient identity theft committed by their own employees. Pamela Scherer McLeod conducted this interview.
EDITOR: In a few short months in 2003 you took on two major battles. The first was a battle for your life after you were diagnosed with acute lymphoblastic leukemia (ALL). The second battle was to stop the financial devastation that was being perpetrated by a laboratory worker at Seattle Cancer Care Alliance(SCCA), where you were being treated.
You have survived five leukemia treatment cycles, including three transplant preps and two completed transplants. You single-handedly solved the crime that became the nation’s first criminal conviction under HIPAA (Health Insurance Portability and Accountability Act), with the result that identity thief and phlebotomist Richard W. Gibson now sits in a federal penitentiary serving a 16-month sentence, with $15,000 restitution yet to be paid.
Hospitals and laboratories throughout the country will benefit from your first-hand account of how this crime by a laboratory technician happened and your advice on what hospitals and laboratories need to do to further protect their patients against the crime of identity theft. Share with us, please, how this incredible story began.
DREW: In December 2002, after feeling ill since about November, I was diagnosed with acute lymphoblastic leukemia (ALL) and told that I had five days to live unless I got treatment. This diagnosis was unexpected. I had just donated platelets for children with leukemia in my home town of Los Gatos, California. I’ve been an apheresis donor for about ten years. Apheresis is something that my mom had been doing for years. I was immediately sent to Stanford University Medical Center for chemotherapy and radiation treatment. That went on for ten months, until September 2003.
EDITOR: It was during this time that you started the Drew Foundation to raise money and awareness for leukemia?
DREW: Yes, I started the foundation and organized a bone-marrow registration drive in 2003. Nearly 1,000 people showed up. The foundation (www.drewfoundation.org) has raised over $250,000 for charities and individual patients. The hours that I spent trying to deal with this identity theft situation were hours that I otherwise would have spent raising money for the foundation.
EDITOR: How did you end up in Seattle, Washington at the Seattle Cancer Care Alliance(SCCA)?
DREW: The chemo treatments at Stanford did not work. My half-sister, whom I had just met a couple of years prior to all this, was working as a physician’s assistant in the bone marrow transplant program at the Fred Hutchinson Cancer Research Center in Seattle. She immediately flew down to Los Gatos to consult with me about their protocols. On September 9, 2003, I entered the Fred Hutchinson Cancer Research Center, which is part of the University of Washington Medical Center. SCCA is on the Hutch campus. It is an outpatient hospital where the treatments actually take place. I began undergoing tests on Sept. 10, 2003.
EDITOR: How soon afterwards did you become aware that someone had stolen your identity and was on a spending spree using your name and credit?
DREW: Only seven to ten days after arriving at SCCA! I began receiving notices from banks and creditors thanking me for credit applications that I had never submitted. This was troubling because, before I started my treatment, I had deliberately closed all but one or two of my accounts at home. I had not opened any new ones. I had not done any business of any kind in Seattle—other than my business with SCCA. There was no opportunity for anyone to access my information, except through the hospital records. It was obvious to me that somebody from
the clinic had taken my information. At the time, I realized that the identity thief had figured “This guy has a terminal disease. There’s no treatment that can cure him. I can steal his identity and, because he is soon to die, no one will ever try and solve this case.”
EDITOR: At what point did you notify the hospital or the authorities that you suspected identity theft?
DREW: Pretty much right away—as soon as I started getting “thank you for your credit application” letters from credit card companies. I called the Seattle Police Department. They didn’t even assign me a case number, much less assign an investigator. They told me they get 100 of these cases a week. I finally became so frustrated with the Seattle police that, in mid-December 2003, I contacted the chief of police in my home town of Los Gatos, California. He’s a friend of mine. He did assign me a case number and an officer. But nothing really came of that.
EDITOR: What about the people at the hospital? Did you get any help there?
DREW: I contacted the compliance office at the University of Washington Medical Center. They were no help at all. They asked me how I knew it was a hospital employee and said that, even if it were, there would be no way to prove it.
In December 2003, I began receiving telephone calls from credit card companies for non-payment. Gibson had opened the first fraudulent credit card in my name, an AT&T Universal Card, on Oct. 17, 2003. He ran up $7,180.81 in charges. He bought everything from jewelry and video games to gas, incidental groceries and home improvement merchandise. He was using it for everything.
“I contacted the compliance office at the University of Washington Medical Center. They were no help at all. They asked me how I knew it was a hospital employee and said, even if it were, there would be no way to prove it.”
I had been through unmitigated hell since arriving in Seattle in preparation for a haploid transplant. The procedures were torturous. I went through very painful radiation treatments, spinal injections, chemo poisoning, and bone marrow biopsies. A couple of weeks after I began receiving letters about these new fraudulent applications, I also had gotten disappointing news. The haploid transplant did not offer the 50% chance of survival as I had previously thought. Actually, the chances were only 10% to 15% and I think the doctors were being kind by giving me these figures. I was trying desperately to research and explore alternative solutions to try and save my life. It was a very difficult time for me.
EDITOR: You had gotten no help from the police or the hospital. Where did you next turn?
DREW: When the “thank you” letters began arriving in September, I started a file. I was trying to piece things together. About mid-December, I started meeting with Richard Meeks, the HIPAA compliance officer at University of Washington Medical Center. I demanded to know who had access to my records. I wanted to know also how my information had been sent from Stanford to SCCA. I did not get any kind of helpful response. He just said that he was sorry this was happening to me.
I also contacted Aleana Waite, Director of Quality and Patient and Family Services at SCCA. She was like everyone I spoke to in the hospital at this time about the obvious theft of my identity. They were all just telling me there was nothing they could do.
They rolled their eyes and treated me as though I were just some unruly patient. They were very patronizing. I thought later, why would the hospital help me? I figured the hospital would be subject to a multi-million dollar HIPAA violation if my hospital records were to be proven breached—which is exactly what happened!
EDITOR: And you were doing this concurrently with your treatment?
DREW: I was doing as much as my physical condition would allow to deal with the identity theft and to get it stopped. I was earnestly trying to get someone interested enough to help me. My doctors and my family were all trying to get me to drop it. They kept saying, “Just cancel the accounts, file a complaint, and move on or you’re going to stress yourself to death.”
That would have all been well and good, but more and more calls from the banks and creditors demanding money kept coming each day. In retrospect, I have to thank Mr. Gibson. He probably saved my life. I was so angry and frustrated and felt so little control in my life on all fronts. I viewed solving my identity theft case as the one thing in my life over which I could take control. I knew something could be done. It’s just that nobody, anywhere in the system, was willing to do it. For my part, I believed I knew how to get the information needed to nail this guy.
On December 23, 2003, I had my first bone marrow transplant—a haploid (half-match) with my half-sister Alexa as a donor. She’s the PA who had worked in the bone marrow transplant at Hutch for five years. I became very ill after the transplant and was near death several times.
By mid-January 2004, I was feeling exceptionally well, better than expected. On the downside, I had a ton of mail and voice messages from credit card companies, dunning me for late payments. Of course, I had been in no condition to attend to my mail.
I realized that all the police reports and the reports I had made to creditors back in October had gone unheard. That’s when I decided, “okay, I’m going to catch this guy.” I began spending 10 to 12 hours per day investigating this case. There were even times when I went down to the Seattle docks, scarcely able to walk and tubes hanging from my chest, to talk with some pretty scary characters trying to track down leads. The police, the hospital, the press, nobody was helping me at this time, even though I provided them with a lot of information on what I had found. I had gathered enough evidence to turn the case over to the police on a silver platter. And still they had done nothing.
EDITOR: How did you go about it? What steps did you take?
DREW: I had once been Vice President of a mortgage banking firm. I was very familiar with the credit reporting industry. I knew that it was one source of information that could help solve this crime. However, when I directly contacted the three national credit repositories, as a consumer, to notify them of the identity theft and ask for detailed information about transactions occurring under my name, they were not cooperative.
So I did something that is unavailable to most consumers. With the help of some friends in the mortgage banking business, we ran the type of detailed credit profile that is available to lenders. By combining that information with the credit card statements I was receiving, I was able to learn to which address the new credit cards were being delivered. I then contacted a real estate title company and obtained the name of the owner of the residence at that address.
I sent a letter to the owner of the residence and later received a call from a woman who said she was the owner’s mother. The owner, it seems, was in the pen serving 30 years for murder. She gave me the name of Keisha Gibson, who was living at the residence with her two children, ages eight and five. I telephoned Keisha Gibson, who was working as a legal secretary at the time. I told her why I was calling. She said she did not know what was going on— that someone else might be using her mailbox.
“You can’t imagine how frustrated I was that no one would make the slightest effort to help—police, banks granting credit under my name, credit agencies, and now the hospital.”
When I realized I had the likely address for the identity thief, I contacted the post office that served that area and obtained the name of the manager and the route carrier. I asked them why they were delivering mail with so many different names to one address where only a woman and two children lived. They simply answered that the United States Postal Service was unable to manage situations like that. It just delivers mail as addressed.
About this time I actually went out and took photographs of the house, which had a fancy new barbeque grill out front. I didn’t know it at the time, but that grill had been bought with one of the credit cards opened under my name!
EDITOR: Did you notify the police?
DREW: Absolutely! I turned this information over to the Seattle police, to a Detective Al Thompson. I called Richard Meeks again, the compliance officer at the University of Washington Medical Center (UWMC). And I also called Aleana Waite at SCCA. I gave them the name Keisha Gibson and the address I had found to which the cards were going. I requested that they check their employee records to see if there was, or had been, anyone named Gibson in their employ during the time I was a patient. I was very disappointed at their response. They told me they ran a check to see if any employee lived at the Keisha Gibson address. But they did not offer to check their employees for a “Gibson.” Nor did they share with me any knowledge that someone named “Gibson” might have been working anywhere near the areas where I had been a patient, at the time I was in their hospital.
EDITOR: It strikes me that this was an opportunity for the hospital to “do the right thing” and investigate the possibility that a “Gibson” working for them might have been in a position to have accessed your confidential data.
DREW: That was both my expectation and hope. You can’t imagine how frustrated I was that no one would make the slightest effort to help—police, banks granting credit under my name, credit agencies, and now the hospital.
EDITOR: Did the information you provided to the hospital make a difference?
DREW: Nothing that proved helpful or stopped Gibson’s continuing to open fraudulent accounts in my name. These hospital officials just kept telling me they checked their records and nothing showed unauthorized access to my information.
EDITOR: THE DARK REPORT understands that you issued a press release about your identity theft case.
DREW: Yes. I had drafted a press release describing the details of my circumstances and what was happening to me—that while I was seeking treatment for a usually-fatal form of cancer at SCCA, a healthcare worker right there in Seattle had stolen my protected information. This thief was running up thousands of dollars in charges. He was getting away with it and the authorities were being of no help whatsoever. I disseminated the press release to every media outlet I could think of: the Seattle Police Department, the Seattle Mayor’s Office, the FBI, the City Attorney, the Washington state Attorney General’s office, the U.S. Attorney General’s office, the U.S. Attorney’s office in Seattle, CNN, NBC, local newspapers, and local radio and television outlets.
EDITOR: Surely you got someone to respond?
DREW: After the press release, the Seattle mayor contacted the head of fraud at the police department, a Detective Eng. then instructed Detective Thompson to take a statement from me. They finally took a statement and gave me a case number. That was it. It never went anywhere from there. I never got any kind of help from them.
EDITOR: What happened when you contacted the FBI?
DREW: The duty officer gave me the impression that the FBI did not care. He said to call the Secret Service, that they were now the agency which handled fraud. He said to call back later and hung up on me. He was rude. I called the FBI so many times, they threatened to put a restraining order on me.
EDITOR: What about the banks in all this? Were they any help?
DREW: Hardly. It’s a situation where the right hand of the bank has no idea what the left hand is doing. I felt more violated by the banks than by Richard Gibson. I consider them to be the biggest enablers in all this. Their policies and procedures are what make identity theft ridiculously easy for the bad guys.
“I felt more violated by the banks than by Richard Gibson. I consider them to be the biggest enablers in all this. Their policies and procedures are what make identity theft ridiculously easy for the bad guys.”
For example, on November 11, 2003, Chase Bank sent me a letter about being delighted that I had applied for an account with them. The letter also stated that, if I, in fact, had not applied for the card, I should call them right away. If they did not hear from me, they would continue to process the application. Of course, Chase Bank had no procedure to cover a situation where someone was too ill—or out of pocket for any reason—and thus not available to respond. It’s a stacked deck—and not in favor of the consumer!
Here these banks take information from anybody, and, with no verification, open these credit card accounts. Then, later, when I notify them of the fraud, they wanted me to provide them with all kinds of affidavits and other proof of identity to close the fraudulent accounts! It was the same with the credit reporting agencies. Equifax informed me that I would have to submit a signed affidavit and proof of identity documents. All the burden is put on the honest consumer. And these things take an incredible amount of time; it’s very disruptive to someone’s life. The banks know that they are still coming out ahead. They’re still making money. This is just the cost of doing business for them. But it’s a nightmare for consumers who find themselves victims of identity theft.
Capital Onedid send me a letter of inquiry because the addresses did not match up. CitiCorp sent me an identity theft tool kit. I also learned that Gibson had made a $5,700 payment to them on a Nevada bank.
EDITOR: Your perseverance was remark- able, to say the least. What finally happened that led to Gibson’s arrest?
DREW: My big break came when KING5 Television, the local NBC affiliate, called and wanted to interview me. They had received the press release. The hospital didn’t want me to do the interview. I was in the middle of a treatment and had tubes all over. I was having three transfusions a day, just to stay alive. I demanded that they stop the treatment and told them I would pull out all the tubes myself if I had to, but that I was going to do that interview.
EDITOR: On February 11, 2004, KING5 news aired a segment. I’d like to share part of the broadcast: “Cancer patient is victim of ID fraud… Eric Drew, 36, a leukemia patient fighting for his life, said someone has stolen his identity and made thousands of dollars in purchases.”
DREW: The TV interview raised everything to a whole new level. KING5 aired it several times a day. Suddenly, everybody got interested.
EDITOR: Who contacted you at that point?
DREW: After my story aired on the TV news, I was contacted by Aleana Waite and Julie Hamilton, the privacy officer at SCCA. They said they were very sorry this had happened to me and asked if there were any way they could help.
EDITOR: Was this the first time the hospital proactively offered support?
DREW: Yes, but it was an offer, not action. Remember, they had the name “Gibson” and had still not offered me any specific information about whether or not someone with that name might have been employed by them and had access to my patient records.
EDITOR: How did you push your investigation, now that the TV news broadcasts were bringing attention to your plight?
DREW: Weeks earlier, I had contacted retail stores where Gibson had used the fraudulent credit cards. I had asked them to check their surveillance tapes. At that time, no one would help. That changed once the TV news feature was broadcast. A public communications officer at Lowe’s Home Improvement Centers called and offered to help me. Lowe’s gave me the date and time of the purchase where Gibson had bought some home improvement materials. They could not turn the surveillance tape over to me; they said they could only turn it over to the police. Chris Daniels, the KING5 reporter who had interviewed me, called Detective Thompson at the Seattle Police Department. He told the detective that if he would get the tape, KING5 would air it.
On Thursday, February 26, 2004, KING5 aired the surveillance tape showing Gibson making the purchases at Lowe’s. That blew the lid off! People started calling the police station, the TV station, the hospital. They identified the thief as Richard Gibson, 42, a laboratory employee of SCCA. Chris Daniels, the KING5 reporter who was helping me, called me to tell me the news. They had a positive identification of the perp. It was a vindicating moment!
EDITOR: You must have been excited about this break in your case.
DREW: Yes. The next morning, on Friday, I had to go back to SCCA’s lab for more transfusions. Gibson had not shown up to work. The people in the lab were very upset. Some were crying. They couldn’t believe it had been someone in their lab. The phlebotomist that drew my blood avoided looking me in the eye. KING5 interviewed me again that day, along with Norman
Hubbard, the COO at SCCA.
EDITOR: What about law enforcement? What did they do, now that you singlehandedly solved the crime for them— that is, you and the TV reporter?
DREW: On March 2, 2004, four days after the TV broadcast of his photo and almost six months after this nightmare started, Richard Gibson turned himself in. KING5 got footage of him walking into the police station with his attorney. Chris Daniels, the KING5 reporter, shouted with a microphone pointed toward Gibson, “What do you have to say to Eric Drew?” Gibson’s attorney just said, “No comment.”
EDITOR: So how did the case proceed?
DREW: It was appalling. The prosecutors in Seattle did not know how to press charges against him, even though I had all the evidence against him in the file I had spent months building. So, after 24 hours, they released him against a small amount of bail. This, even though they had the surveillance video tape of him engaged in criminal behavior.
“It was appalling. The prosecutors in Seattle did not know how to press charges against him, even though I had all the evidence on him in the file I had spent months building. So they let him go. ”
EDITOR: That’s amazing! What did you next do?
DREW: This turn of events surprisingly worked in my favor. Within a day of Gibson turning himself in, I again contacted the U.S. Attorney’s office in Washington, DC. I was determined that Gibson be prosecuted as a HIPAA violation. I was told they had heard of my story and they finally agreed to assign me some help. The national office referred me to the head federal prosecutor in Seattle, Vince Lombardi—I believe he’s the grandson of Green Bay Packer Head Coach Vince Lombardi. Lombardi called me a couple of days after the arrest and told me that he was assigning a U.S. attorney and an FBI special agent to my case.
EDITOR: Was this a serious investigation?
DREW: Assistant U.S. Attorney Susan Loitz was assigned to prosecute the case. FBI Special Agent James Rogers spent about six months investigating it. Using the file I had amassed, he pulled the pieces together. By now, I knew this would be federal prosecution against someone for a criminal violation of the new HIPAA laws which were intended to protect patients.
EDITOR: HIPAA does provide for sanctions against providers which disclose confidential patient information. How did that play a role in the decision to include or exclude SCCA from any legal action?
DREW: The U.S. Assistant Attorney had a number of statutes under which they could have proceeded. I told Susan Loitz that I didn’t want them to go after the hospital. They are good people. They just screwed up by not listening to me.
EDITOR: That’s a charitable view, considering your earlier statements about their unwillingness to say much more than that “we have no evidence of unauthorized access to your patient information.”
DREW: True, but the bad guy in this episode is Gibson and I wanted him to face the consequences of his crime.
EDITOR: What is going on with phlebotomist Gibson during this time?
DREW: Gibson was out walking the street. He must have thought he was going to get off scott-free.
EDITOR: Didn’t Seattle Cancer Care Hospital, now that they had Gibson’s identity, fire him?
DREW: Yes, but he was certainly unconcerned about his crime and its potential consequences. After SCCA fired him, he continued to work at Seattle Community College, where he was teaching phlebotomy at one of the local community colleges. He also had the temerity to not only apply for unemployment benefits, but he then filed an appeal when his claim was denied. He admitted to everything in his claim. The Administrative Law Judge’s Order lays out how Gibson admitted to taking my private patient information while he was employed at SCCA and using it for personal gain—with the knowledge he was violating the law. Also, Gibson had claimed that he did not know that I was a patient at the time he fraudulently used my information.
EDITOR: Did he ever say how he got your information while you were in the
DREW: Well, the only statement he made to the authorities was a story he told the Administrative Law Judge at the unemployment appeal hearing. He stated that he had found my information on a piece of paper lying on the floor of a men’s bathroom inside the hospital.
EDITOR: What did SCCA tell you about how they thought he got access to your
DREW: SCCA’s response was a nonresponse. All they would say is “we’ve checked our systems and we have no evidence that any unauthorized individual accessed your records.”
EDITOR: So what is the next development in the case?
DREW: In June 2004, the U.S. Attorney’s Office came to me and said that they wanted to offer Gibson a low sentence in response to his agreement to plead guilty. They asked if I would agree to it. I told them I did not care what specific penalty he received for his crime, so long as they charged him under the federal HIPAA statute. That’s because I had no confidence in the Seattle Police Department. I wanted the federal court to take responsibility. After what I had been through, I wanted to establish some legal precedent so that no one else would have to go through what I went through. The FBI put me in the federal witness protection and assistance program. I began working with the hospital to help them clean up the mess created by this identity theft case.
EDITOR: What happens next in your story?
DREW: By the last part of June, 2004, I had again traveled from California to
Seattle for a second half-match bone marrow transplant. When I checked back in at the lobby of SCCA, the admitting receptionist was going over all of my information with me again. Here was all my critical demographic-identifying information—right there in the lobby of a busy hospital! My social security number, financial data, and personal information were all on that piece of paper, visible to anyone that might handle my file. After everything I had gone through, I was most unhappy about this situation!
“I can certainly imagine how that paper file, as it traveled around Seattle Cancer Care Alliance, could have been viewed by any employee. Moreover, how would the hospital have any way to know who saw my paper patient records?”
EDITOR: Is that because you now appreciate the risk that paper records generate in a hospital or physicians office?
DREW: That’s a hot button with me. I complained about that situation to the receptionist. And I can certainly imagine how that paper file, as it traveled around the Seattle Cancer Care Center and back to the records storage, could have been viewed by any employee. Moreover, how would the hospital have any way to know who saw my paper patient records?
EDITOR: Controlling access to paper files is something that should now make every hospital, laboratory, and pathology group practice nervous about their vulnerability to an employee intent on committing a patient identity theft crime. What happens to you next?
DREW: Everything was ready to go on the second transplant when it was decided that I needed to go through a much more aggressive and dangerous experimental procedure—one that was not available at SCCA. So I traveled to the University of Minnesota in Minneapolis. Here I underwent a very experimental cord blood transplant, using cords flown over from Italy. This seemed to be my best chance for long-term survival. While I was in Minneapolis, two FBI agents came to the hospital. From my hospital bed, they video-taped a three-minute victim impact statement from me. This was played at Gibson’s sentencing.
EDITOR: What was Gibson’s sentence?
DREW: He is currently serving 16 months in a federal penitentiary. He must also pay restitution of about $15,000. He was sentenced on November 5, 2004, about 14 months after he launched his crime against me.
EDITOR: Eric, yours is an astonishing story. In concluding this interview, you have an opportunity to address the major players in laboratory medicine in this country. What recommendations would you offer them about how they can improve protections against patient identity theft in their laboratories?
DREW: First, laboratories should severely limit which employees have access to a patient’s sensitive demographic information. Sensitive information needs to be kept in secure electronic files with secured access only to those authorized to see such information.
EDITOR: You are emphasizing an electronic records system. What about paper records?
DREW: Any hard copies that are kept should be stored in a locked vault with restricted access. As a patient, I would prefer to know that anyone having access to any of my confidential information should be required to have some sort of official clearance or licensing, just like a notary public, for example. Medical facilities should be required to use something other than social security numbers on their records. Anyone working in a medical lab should have to go through some type of intense screening as part of the hiring process.
EDITOR: How should a laboratory or pathology group practice respond when a patient notifies them of a possible breach in their personal and confidential information?
DREW: When a patient alerts a facility that they suspect identity theft has occurred, by all means that facility should take that patient seriously. Employees must listen closely to the patient. The healthcare facility should have an established protocol for investigating their employees who have had access to protected information. I want to emphasize that this is an easy crime to commit. Laboratories must become alert to this threat.
EDITOR: Thank you, Eric, for your time in sharing this remarkable story with
us. You have our sincere wishes for a long and healthy life.
DREW: I’d like to thank you for the opportunity to speak out. As your readers have learned, my biggest frustration was that, as a single and very sick patient, no one and no part of the system would listen to me and help me until the television news got involved. Please remember that fact. Whenever a patient surfaces with a suspicion or episode like mine about identity theft, I’d like to think that laboratory folks will remember this story and respond effectively to this patient.