Healthcare , HIPAA/HITECH , Industry Specific
5 Hospital Workers Charged with Selling Patient InformationData of Patients Hurt in Auto Accidents Allegedly Sold to Chiropractors, Attorneys
Authorities charged six people, including five former Tennessee hospital workers, with conspiracy in disclosing health data. Federal prosecutors say the six sold the information about patients involved in motor vehicle accidents to third parties, including chiropractors and personal injury attorneys.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The U.S. Justice Department in a statement says a federal grand jury on Nov. 10 indicted five former employees of Memphis, Tennessee-based Methodist Le Bonheur Healthcare with accessing and disclosing patient information to a sixth individual, Roderick Harvey, without the knowledge, consent or authorization of the patients.
Prosecutors say Harvey, a resident of Arizona with ties to western Tennessee, is a self-described entrepreneur who calls himself "SuitGuyHarvey."
The former hospital employees charged in the case are Kirby Dandridge, Sylvia Taylor, Kara Thompson, Melanie Russell and Adrianna Taber. Court documents say that between November 2017 and December 2020, Harvey paid the Methodist workers for names and phone numbers of patients who had been involved in motor vehicle accidents.
Four of the employees worked as financial counselors at Methodist Healthcare, and one of the individuals held a variety of roles, including PBX unit secretary, according to court documents.
The longest-tenured employee, Taylor, worked in the hospital's emergency room as a financial counselor for 18 years, according to court documents.
All six were charged with conspiracy to defraud the U.S. government. The conspiracy charge carries a maximum penalty of five years in prison, a fine of $250,000 and three years of supervised release.
Dandridge, Taylor, Thompson, Russell and Taber were each charged with separate violations of disclosing the information to Harvey in violation of HIPAA. That charge carries a maximum penalty of one year in prison, a $50,000 fine and one year of supervised release.
Harvey also was charged with seven counts of obtaining patient information with the intent to sell it for financial gain on various dates between November 2017 and September 2019. Each of those charges carries a maximum penalty of 10 years in prison, a fine of $250,000 and three years of supervised release.
The Justice Department declined further comment to Information Security Media Group, saying the investigation is ongoing.
About 1,500 Patients Affected
A Methodist Le Bonheur Healthcare spokesperson tells ISMG that about 1,500 patients were affected in the situation and each was notified.
"We take the security of our patient's private information very seriously. Once we became aware of the situation, we promptly took action and alerted the appropriate legal authorities," Methodist says in a statement to ISMG. "While there is no evidence of financial information being disclosed, we are offering free credit reporting for those affected."
Attorneys representing the defendants did not immediately respond to ISMG's requests for comment.
Privacy attorney Kirk Nahra of the law firm WilmerHale says that while HIPAA criminal prosecutions are still relatively rare, the Methodist example fits the pattern of cases seen in the past.
"They tend to involve stealing patient information for ID theft or healthcare fraud, or selling to a media entity or selling in this kind of situation to someone else - a plaintiff's attorney or otherwise, who then financially benefits from the access to that information," says Nahra, who is not involved in the Methodist case.
"Healthcare entities need to be carefully monitoring for these kinds of insider problems, but many of these are very hard to identify through 'typical' monitoring, which is why they often come to light through other broader investigations," Nahra adds.
Regulatory attorney Rachel Rose, who is not involved in the Methodist case, says criminal HIPAA violations are typically discovered in one of three ways: a breach being reported, as part of other fraud investigations or during a Department of Health and Human Services investigation.
"In terms of hospitals, it varies by institution, but this is an area that most hospitals would respond to if they became aware of it," she says.
Criminal liability for HIPAA violations should always be covered during employee training, Rose says. "This applies to workforce members and billers who are not on the care team, as well as pharmaceutical and medical device reps."
The Methodist Healthcare disclosure is similar to a case about a decade ago involving a former Florida Hospital Celebration emergency room worker who was sentenced to 12 months and one day in federal prison after pleading guilty to conspiracy and wrongful disclosure of identifiable health information.
The worker had been accused of inappropriately accessing, over a two-year period, from 2009 to 2011, 760,000 electronic health records and then selling information about 12,000 motor vehicle accident patients to a co-conspirator, who used the data to solicit legal and chiropractic business (see: Prison Time for Health Data Theft).