Sentencing in S.C. Medicaid Breach CaseFormer Worker Inappropriately Accessed Data on 228,000
A former South Carolina state employee who pleaded guilty to five felony charges after he sent personal information about more than 228,000 Medicaid recipients to his personal e-mail account has been sentenced to three years of probation.
Christopher R. Lykes, Jr. also must perform 300 hours of community service, according to a statement from the office of South Carolina Attorney General Alan Wilson.
See Also: The Global State of Online Digital Trust
On Oct. 8, 2013, Lykes pleaded guilty to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.
Lykes, who was indicted in February 2013, could have been sentenced to a maximum of five years in prison, and/or a $5,000 fine, for each count.
Prosecutors say that in 2012, Lykes, while a public employee of South Carolina Department of Health and Human Services, unlawfully accessed confidential records for improper or unlawful purpose. They also charged that Lykes had conspired with another person in that effort. The second defendant in the breach case, Toshia Yvette Latimer-Addison, was also indicted in February 2013 for one count of criminal conspiracy. The Richmond Country General Sessions Court lists that case against Latimer-Addison as "pending."The information inappropriately accessed by Lykes and e-mailed in a spreadsheet included names, phone numbers, addresses, birth dates and Medicaid ID numbers, authorities say (see Arrest in S.C. Medicaid Info Breach). For almost 23,000 of the affected patients, Medicare numbers, which contain Social Security numbers, also were accessed.
A spokeswoman in the South Carolina attorney general's office declined further comment on the case.
Analyzing the Sentence
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the sentence for Lykes would likely have been tougher if he was guilty of committing fraud tied to use of the Medicaid data.
"My understanding of the case is that the former employee was caught before the stolen information was actually used for identity theft purposes," Greene says. "The penalties may have been higher if actual identity theft had occurred. I haven't tracked criminal sentencing in traditional identity theft cases, but I know jail time for HIPAA-related offenses is very rare."
Among the few other cases involving prison time for HIPAA cases was the case of former UCLA Healthcare System surgeon Huping Zhou of Los Angeles, who in 2010 was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others, Greene says.
Zhou was the first defendant in the nation to receive a prison sentence for a HIPAA privacy violation, according to the U.S. attorney's office for the central district of California (see HIPAA Violation Leads To Prison Term).
More recently, Helene Michel, the former owner of a Long Island, N.Y., medical supply company, was sentenced to 12 years in prison in a case that involved $10.7 million in Medicare fraud, as well as criminal HIPAA violations (see Hefty Prison Sentence in ID Theft Case).
Michel's husband and alleged co-conspirator in that case, Etienne Allonce, is among the Department of Health and Human Services' Office of Inspector General's most wanted fugitives (see More Executives Could Face Fraud Charges.)
In July, federal prosecutors in Texas announced that they had taken the relatively uncommon move of pursuing criminal charges against an individual for alleged HIPAA violations.
That case involves Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas, who was charged with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain (see Former Hospital Worker Faces HIPAA Charges).