Data Breach , Fraud , ID Theft
Prosecutors Are Not Pursuing HIPAA Criminal ChargesA former administrative worker at a Florida-based pediatric practice has been indicted in federal court along with two others for alleged identity theft and fraud crimes involving stolen patient information. But no HIPAA-related criminal charges were filed in the case.
See Also: 2016 Annual Worldwide Infrastructure Security Update
The 23-count indictment filed on July 26 in a U.S. district court in Tampa, Fla. alleges that Anthony Michael Harris, a former administrative employee in the Tampa office of Pediatric Gastroenterology, Hepatology & Nutrition of Florida, conspired with two other individuals, Larry Chance Cox and Maurice Rahmaan, to commit tax, mail, wire and access device fraud, as well as identity theft, court documents say.
"It was a part of the conspiracy that the conspirators and others would, and did, steal and obtain stolen personally identifiable information from Pediatric Gastroenterology, Hepatology & Nutrition of Florida, among other sources. This stolen PII included names, dates of birth, and Social Security numbers, among other things, of the medical practice's current and former patients, patients' parents and patients' guardians," an indictment document notes.
Federal prosecutors say the conspirators, using the stole PII, electronically applied "for credit cards and lines of credit to Discover, Capital One, and other financial services firms," and then used or attempted to use the unauthorized credit cards to purchase items from retailers and withdraw cash from ATMs.
Additionally, prosecutors allege that the stolen PII was used to file fraudulent federal income tax returns in an attempt to obtain tax refunds. Court documents do not indicate the total dollar amount involved in the alleged tax and other fraud crimes.
Court records indicate that Harris and Rahmaan were arrested and each released on $50,000 bond, while Cox was released on $75,000 bond. No trial date has been set.
An attorney representing Harris did not immediately respond to an ISMG inquiry about the case.
Breach Investigation
The Department of Health and Human Services' Office for Civil Rights appears to have closed an investigation into the Pediatric Gastroenterology incident, which is listed on its "wall of shame" tally of major breaches as affecting 13,000.
The listing notes that on June 25, 2015, the Tampa Police Department notified the clinic that paper printouts from the facility were found during a criminal investigation. "An employee of the CE [HIPAA covered entity] removed appointment sheets containing the names, Social Security numbers, dates of birth and account numbers of 13,000 patients from the premises without authorization," OCR notes.
In addition to the covered entity providing breach notification to OCR and affected individuals and setting up a toll free number to answer questions, Pediatric Gastroenterology took a number of other steps to bolster security and privacy in the wake of the incident, OCR notes.
"Following the breach, the CE reviewed its policies and retrained staff on its HIPAA privacy and security policies ... [and] implemented physical security procedures to reduce the risk of unauthorized access to printed documents and implemented role based access procedures to limit access to electronic PHI," OCR says. "The CE also improved administrative safeguards by requiring random background checks on its employees throughout the duration of their employment. The CE also terminated the involved employee's employment. The employee was criminally investigated for actions related to this breach."
Pediatric Gastroenterology did not immediately respond to an ISMG request for comment.
No HIPAA-Related Charges
Despite the multiple counts of fraud-related crimes involving protected health information in the case, court documents indicate that neither Harris nor his alleged co-conspirators were indicted for any criminal HIPAA violations.
A spokeswoman for the U.S. Attorney's Office in the Middle District of Florida declined to comment on why prosecutors did not pursue any HIPAA-related charges.
While criminal HIPAA cases are rare, there have been some notable prosecutions over the last few years. That includes a recent case involving a former Tampa General Hospital worker who was sentenced on Aug. 3 to 37 months in federal prison on HIPAA violations and tax fraud charges (see HIPAA Criminal Prosecutions on Rise).
"Prosecutors have lots of choices on how to pursue these cases and often just do what they are used to doing from previous cases," notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
The factors prosecutors weigh in deciding whether to pursue HIPAA violations in fraud cases involving patient information can vary based on a number of considerations, notes privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
"First, the elements of the crimes of identity theft and fraud may be easier to prove, are more familiar to judges and juries that are the triers of fact, are punishable with longer prison sentences and fines, as well as allow the government to seek forfeiture of assets obtained through the performance of the fraud or ID theft," he says. "In addition, it may be easier to prove these crimes because the evidence are in the records maintained by the credit card companies and banks that lost money through these schemes."
The Insider Threat
The Pediatric Gastroenterology case highlights the threats that insiders can pose.
"Studies have shown a persistent threat from unauthorized disclosure of PHI by insiders, whether it be stalking, snooping or like here using patient financial information for financial crimes," Holtzman says.
He advises organizations to "take action to perform a background investigation of workforce members who have access to PHI and financial information. Use software applications to monitor activity of those who have access to patient records, including contractors and outsiders given access to your organization's information systems."
Nahra adds: "I make the point to every company I work with that employees that have access to sensitive data are a significant risk. You need to have a plan to control access as best you can, educate staff on rules and sanctions and then monitor and enforce reasonably but aggressively."