Texas Woman Sentenced to Over 2 Years in Federal Prison for Stealing and Selling PHI

A Texas woman pled guilty on December 4, 2020, to conspiracy to obtain information from a protected computer and was sentenced to 30 months in federal prison on July 22, 2021.

According to the information that was presented in court, three individuals, including the Texas woman, were named in a federal indictment on September 11, 2019, charging them with conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification. They were alleged to have breached a healthcare provider’s electronic health record (EHR) system in order to steal protected health information (PHI) and personally identifiable information belonging to patients. This stolen information was then “repackaged” in the form of false and fraudulent physician orders, and subsequently sold to durable medical equipment (DME) providers and contractors. The defendants obtained more than $1.4 million in proceeds for the sale of the stolen information. The defendants then used those proceeds to purchase items such as sport utility vehicles, off-road vehicles, and jet skis.

One of these individuals was sentenced to 48 months in federal prison on July 8, 2021, while the second individual pled guilty on March 25, 2021. Her sentencing date has not been set.

Acting U.S. Attorney Nicholas J. Ganjei stated, “Today’s sentence is another example of the Eastern District’s commitment to vigorously defending protected health information and prosecuting those who exploit such information for their personal gain. The defendant’s actions not only compromised victims’ sensitive information, exposing them to fraudulent schemes, but also ultimately resulted in unnecessary costs to federal healthcare programs.”

Issue:

All healthcare workers must understand HIPAA and how they must secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while ensuring an individual’s health information is properly safeguarded. Staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Plan Policies and Procedures.

Discussion Points:

  • Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates and timely response to requests from authorized individuals.
  • Train all staff minimally upon hire and annually on HIPAA, PHI, and Privacy, including responding timely to requests for records. Document that these trainings occurred and file the signed training documents in the employees’ education files.
  • Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.