ER Clerks Charged in Records SchemePatients Allegedly Solicited by Lawyers, 'Medical Mills'
Two emergency room admitting clerks at a hospital in Queens, New York, have been charged with illegally accessing the electronic health records of hundreds of ER patients, many of whom were subsequently contacted by lawyers and outpatient services providers soliciting their business, prosecutors say.
The two registrars, who worked a Jamaica Hospital Medical Center, allegedly inappropriately accessed computer records of 250 patients, each containing information that included patient Social Security number, date of birth, address, telephone number, and details regarding their injuries and medical treatment received in the emergency room at Jamaica Hospital, says a statement from the Queens County District Attorney's office.
"These defendants are accused of blatantly violating their HIPAA obligations and illegally trolling through confidential patient records," Richard Brown, the district attorney, said in the statement. "Their alleged actions led to patients who were seeking treatment for injuries unwittingly being victimized again with the illegal release of their personal information and medical records."
Some of these patients were contacted by lawyers and "medical mill" healthcare services providers while they were still in the ER of Jamaica Hospital, says spokesman for the Queens County DA office. Medical mills are often fake clinics that submit fraudulent bills for healthcare services that are unnecessary or not delivered to patients.
The defendants in the case, Maritza Amador and Dache Prawl, both of Queens, face multiple charges, including computer trespass, second-degree unlawful possession of personal identification information, and unauthorized use of a computer. Both were arraigned on March 28 and released on their own recognizance, the DA spokesman says. Their next court appearances are slated for May 20. If convicted, they each face up to four years in prison.
New York law enforcement officials are investigating whether the two defendants in the case sold the patient information for profit to the lawyers and outpatient facilities that contacted the patients, says the DA office spokesman. He says prosecutors suspect the outpatient clinics that contacted many of the ER patients were trying to cash in on New York State's no-fault insurance law, under which insurers provide up to $50,000 in benefits to individuals injured in motor vehicle accidents.
Amador is accused of illegally accessing the patient records between Feb. 10, 2012, and March 12, 2014, and Prawl, is accused of the illegal access between Dec. 11, 2013 and March 17, 2014. Sources close to the case said both Amador and Prawl's employment has been terminated by the hospital.
Neither the DA's office nor Jamaica Hospital would comment on how the alleged criminal activity was discovered.
While Jamaica Hospital conducts background checks before hiring individuals for some positions, that's not the case for ER admitting registrars, a hospital spokesman says.
The alleged insider breach case at Jamaica Hospital is similar to an earlier case involving a former Florida Hospital Celebration emergency room worker, his wife - a former insurance worker at the hospital - as well as a third conspirator (see Prison Time for Health Data Theft.)
In that case, law enforcement officials said the ER worker, over a two-year period from 2009 to 2011, improperly accessed electronic records of 763,000 patients treated at several Florida Hospital locations and sold personal information on about 12,000 patients to the co-conspirator. That information was used to solicit legal and chiropractic services for patients involved in motor vehicle accidents. The three defendants in the case pleaded guilty last year to charges that included conspiracy and wrongful disclosure of identifiable health information.
A class action lawsuit has been filed against Adventist Health System in the aftermath of that breach case (see Dismissed Adventist Lawsuit Resurfaces.)
Addressing the Issues
Mac McMillan, CEO of the security consulting firm CynergisTek says that insider breaches are more common than many healthcare organizations realize.
"Despite the improvements we have seen in monitoring and auditing, we still have a tremendous number of institutions that are not proactively monitoring what insiders are doing, or using the tools that give them the ability to do so effectively," he says. "Traditional audit tools, those that focus on rules, are not sufficient generally to catch this type of activity, particularly if the information viewed was something the perpetrator would have had access to normally."
Organizations can improve their detection of insider breaches by also implementing pattern and behavioral analysis, McMillan says. "Reviewing insider data access to certain high-profile patients and situations from a fraud or identity theft perspective, and observing differences in user access patterns and activity associated with those, provides valuable keys to identifying this type of activity," he says. "We still are an industry that doesn't know what it doesn't know when it comes to real-time awareness of what insiders are doing."
The Healthcare Information Security Today survey shows that audit tools and log management systems are the No. 1 technologies healthcare organizations plan to implement this year.