[BreachExchange] HIPAA Criminal Prosecutions on the Rise

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 8 18:40:34 EDT 2016


http://www.databreachtoday.com/hipaa-criminal-prosecutions-on-rise-a-9330

A former Tampa General Hospital worker has been sentenced to 37 months in
federal prison in a case involving criminal HIPAA violations and tax fraud.

Some privacy and security experts say such prosecutions of HIPAA cases
could be on the rise - especially when the violations are tied to other
crimes. The Tampa case joins a handful of other recent cases involving
insiders who also received prison sentences for their illegal access or
disclosure of patient data.

"HIPAA criminal cases are rare, but the Department of Justice will bring
them if it turns out that insiders are using protected health information
for improper purposes - like identity theft, Medicare fraud, tax fraud, or
selling to the media," notes privacy attorney Kirk Nahra of the law firm
Wiley Rein LLP. "

In a statement, the U.S. Department of Justice says a U.S. district court
judge on Aug. 3 sentenced Shanakia Benton, a former worker at Tampa General
Hospital to 37 months in federal prison for wrongful disclosure of
individual identifiable health information and wire fraud.

As part of her sentence, Benton was ordered to pay $77,239 related to the
proceeds of the wire fraud. She pleaded guilty on May 2, 2016.

Case Details

Prosecutors say in court documents that Benton had access to the personal
health information of thousands of patients. "She regularly received
training regarding HIPAA, which prevents the unauthorized disclosure of
personal health information," the justice department says in its statement.

"Despite her training, between June 2011 and December 2012, Benton
illegally accessed the personal information of more than 600 TGH patients.
Benton and her accomplices then used that information to file at least 29
false tax returns seeking refunds totaling $226,000."

Benton was a unit customer service representative who provided clerical
assistance at the hospital, says a Tampa General Hospital spokesman.

The hospital has taken a number of measures to boost data security and
privacy, "but not just because of the incident," he says.

"We are keenly aware of the threats everyone faces from hackers and
criminals, and we always make use of the latest security enhancements," he
says. "Without going into specifics, we now have tools to mask the kinds of
information sought by identity thieves. We believe the enhanced security of
our electronic medical records, combined with the handing down of stiff
federal prison sentences and fines, acts as a deterrent that did not exist
at the time this crime took place."

More to Come?

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says
there likely will be more prosecutions of cases involving alleged criminal
HIPAA violations.

Identity theft, including filing of false tax returns, is not going away,"
he says. "When the crime occurs through the use of a healthcare provider's
protected health information, prosecutors may be getting more comfortable
using HIPAA's criminal provisions as a means to prosecute these crimes."

Other Cases

The sentencing of Benton in the Tampa General Hospital case follows the
recent conviction of another former healthcare worker at a different
hospital in Ohio.

In June, a federal jury in Ohio convicted Jamie Knapp, a former respiratory
therapist at ProMedica Bay Park Hospital in Oregon, Ohio of wrongly
obtaining individually identifiable health information. Prosecutors claimed
the therapist was using the patient information for seeking, obtaining or
using intravenous drugs (see Respiratory Therapist Convicted in HIPAA
Criminal Case).

In that case, indictment documents said that from May 10, 2013 to about
March 25, 2014, Knapp wrongfully obtained computerized PHI of approximately
596 ProMedica patients. Prosecutors said that in her capacity as a
respiratory therapist, Knapp was authorized to access individually
identifiable health information of certain respiratory patients, but she
accessed the HIPAA-protected information of others without authorization.

Knapp faces up to one year of prison. Her sentencing is tentatively slated
to occur no sooner than in October.

Also among other recent criminal HIPAA prosecutions was a case involving
Joshua Hippler, an employee of an unidentified hospital in East Texas. In
February 2015, Hippler was sentenced to serve 18 months in prison after
pleading guilty to wrongful disclosure of individually identifiable health
information (see Prison Term in HIPAA Violation Case). Federal prosecutors
in that case said that Hippler used his position as a hospital employee to
obtain PHI with the intent to use it for personal gain.

In one of the harshest sentences handed out so far in a HIPAA-related case,
Helene Michel, the former owner of a Long Island, N.Y., medical supply
company, was sentenced in April 2013 to serve 12 years in prison in a case
that also involved $10.7 million in Medicare fraud, as well as criminal
HIPAA violations.

Lessons Learned

Healthcare organizations should take notice of the emerging trend involving
criminal cases being filed against employees, Greene says. "For healthcare
providers, this [Benton] case is a reminder that, while much of the past
year's headlines have focused on external cyberattacks, insider threats
remain prevalent," he says.

"Organizations should consider where they have Social Security numbers and
other information at high risk for identity theft, whether there are ways
to further reduce access to such information, and how best to automatically
monitor for any suspicious patterns of access."

Healthcare attorney Betsy Hodge of the law firm Akerman LLP urges covered
entities and business associates to pay equal attention to threats outside
their organization - such as ransomware - and the internal risks that their
current or former employees and contractors pose to the privacy and
security of PHI.

"Earlier this month, the [Department of Health and Human Services] Office
for Civil Rights issued guidance stating that insider threats are becoming
'one of the largest threats to organizations' and providing recommendations
for mitigating the possibility of theft of electronic PHI or fraud
involving ePHI by employees and contractors," she notes (see Advice on
Spotting Insider Threats).

"The fact that OCR chose the topic of insider threats for its August
newsletter suggests that it is seeing an increasing number of incidents
involving breaches by current or former employees of covered entities and
business associates."

Warning to Workers

Recent criminal HIPAA cases should also serve as a wake-up call for
healthcare workers involved in nefarious activity, Nahra says. "Employees
should know that they are being monitored, and that they will get caught,
that they likely will be fired ... and could be prosecuted," he says.

But of course, not all HIPAA violation cases involving employees encompass
criminal activity, he notes. "These prosecutions are for inherently bad
things - they aren't for sending a fax to the wrong number or disclosing
mistakenly to a parent about a child, or any other slip-up or honest
mistake," Nahra says. The criminal cases involve "issues that people know
are wrong - no one commits tax fraud because they weren't trained
properly," he says.

"Employers also need to know that these kinds of activities can happen -
they need to monitor, audit, educate, inform, train, and make sure people
know they will get caught," Nahra says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160808/e7fda491/attachment.html>


More information about the BreachExchange mailing list