The University of Texas Southwestern Medical Center is advising 12,000 patients to guard against fraud after a former employee was found in possession of a limited amount of patient billing data.

Authorities discovered in September that a cashier in the hospital's finance department, Tracy Renay Thomas of Dallas, had billing and insurance information from 21 patients. The hospital alerted those patients by phone.

Police found the breach during a widening inquiry into Thomas' boyfriend, Louis Tatum of Dallas. Authorities allege that Tatum, with aid from Thomas, engineered a theft ring meant to profit from stolen identities, according to court records.

A grand jury has indicted Thomas and Tatum on fraud charges. Thomas was released on $5,000 bail, while Tatum remained in the Dallas County Jail on Friday.

In all, hospital officials say, Thomas may have compromised the billing or insurance information of as many as 200 UT Southwestern patients. She did not have access to medical records, they said.

The discovery prompted UT Southwestern to send a letter to 12,000 patients on Feb. 24 warning them of the breach. The letter went only to patients whose billing records were accessible to Thomas.

UT Southwestern decided to mail letters to the larger group of patients out of "an abundance of caution," hospital spokesman John Walls said.

"It's important to note that we're talking about a small group of people," he said. Walls said he could not recall a similar security breach at the hospital.

Thomas, who worked at UT Southwestern from March until September 2009, had access to personal, insurance and payment information.

Walls said no patients have yet been victimized by fraudulent charges to their accounts.

Still, the hospital advised patients who received the letter to monitor their credit and consider placing their accounts under fraud detection alerts. In its letter, the hospital said it would provide concerned parties free credit monitoring services for up to a year.

News of the records breach sparked concern among patients and their families.

Michele Dempsey said hospital police first contacted her in September. Investigators showed her a check found at Thomas' house. It was a check Dempsey had sent to the hospital months earlier. The slip had her Social Security number and birth date written across the top.

"I don't like it happening to me. I've been scared since the day I found out," said Dempsey, 67, of Dallas.

Jean Jury, 87, who has visited UT Southwestern recently to treat lung problems, received one of the hospital's warning letters this week. Son Harvey Jury wished the hospital had notified credit agencies on behalf of its patients.

"I was just irritated with the way they handled it," he said.

UT Southwestern provides in-patient care to about 97,000 people annually, according to its Web site.

As breaches in medical and other records have become more frequent, the government has begun requiring hospitals to disclose cases of stolen records. The federal Department of Health and Human Services keeps an online database that tracks the biggest incidents.

Those records reflect several recent breaches in Texas, including nearly 700 records compromised in the Methodist Hospital System in January and 3,800 at Children's Medical Center Dallas in mid-November.

Investigators continue to sort through Tatum's alleged theft ring, which includes accusations of credit card abuse and to obtain false credit lines and gift cards.

Thomas' attorney, Phillip Robertson, said his client regrets how events have unfolded.

"She is so upset and ashamed and embarrassed about even being a part of this," he said.

Selwyn Crawford also contributed to this report.

The University of Texas Southwestern Medical Center offered these tips to the 12,000 patients who received a recent letter advising them of a theft of financial records.

• The potential for theft applies only to those who received the warning letter.

• Of the 12,000 people who received the letter, only 100 to 200 are thought to have had their information stolen.

• Those who received the letter and still have questions can contact Cynthia Snyder, the hospital's privacy officer, at 877-887-9623 or at privacyoffice@utsouthwestern.edu. Those who call on the weekend can leave a message.