Employees facing Prison Terms for HIPAA Fines

The fines for HIPAA violations by employees can be severe, especially those where protected health information was stolen.HIPAA breaches by staff members can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft.Recently there have been two notable cases of HIPAA violations by employees, one of which lead to a fine and imprisonment, with the other likely to result in a longer spell in prison when sentencing takes place in June.

Prison Sentence for Former Transformations Autism Treatment Center Staff Member

In February, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was found to have stolen the protected health information of patients following sacking.

Jeffrey Luke, 29, of Collierville, TN obtained access to a TACT Google Drive account including the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his home computer.

Around one month after Luke was terminated, TACT discovered patient information had been remotely accessed and installed. An investigation was launched and law enforcement was made aware, with the latter warning the FBI. Luke was identified as the perpetrator from his IP address, with the search of his residence uncovering a computer containing stolen electronic patient records and TACT forms and templates.

Luke’s access rights to Google Drive had been sacked by TACT in accordance with HIPAA Rules; however, after termination, Luke had obtained access to a shared Google Drive account and authorized access from his personal Gmail account.

It is not yet known exactly how that was achieved after his access rights were terminated. Court documents say Luke hacked the account and law enforcement found evidence Luke had researched how to obtain access to the data.

Law enforcement found this was not the first time Luke had stolen data from an employer. His computer also had patient data from another former employer – Somerville, TN-based Behavioral and Counseling Services.

Luke pleaded guilty to the charges and was given 30 days in prison and 3 years of supervised release. Luke was also ordered to pay $14,941.36 in restitution.

This case issues a message to healthcare employees considering stealing healthcare data to sell, use, or pass on to a new employer, that data theft carries stiff sanctions. While Luke will only serve 30 days in jail, he will have a criminal record which will prevent future employment.

Healthcare groups should also take precautions to minimize the opportunity for  former employees to access PHI remotely after they have left employment. When an employment contract comes to a finish, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.

Nursing Home Staff Member Pleads Guilty to Theft of Credit Card Numbers

A former staff member at a nursing home in St. Louis County, MO has pleaded guilty to the theft of credit card numbers.

Shaniece Borney, 29, of St. Louis County, was hired at a NHC Health Care nursing home between 2016 and 2017. Borney used her access to the computer system and stole the credit card details of patients. The credit card details were used to buy things for herself and family members.

Borney faces up to 10 years in prison and could be fined up to $250,000 and will be required to pay restitution to the victims of the fraud. Borney will have a sentence hearing on June 21, 2018.

Ex-Berkeley Medical Center Employee Given Probation

A former Berkeley Medical Center Employee has avoided a jail term after pleading guilty to one count of identity theft. Roberts also admitted illegally acquiring the protected health information of 10 individuals, including their names, dates of birth and Social Security numbers, and providing that information to her co-defendant, Ajarhi Savimbi Roberts. Her accomplish in the crime will be sentenced next month after pleading guilty to bank fraud.

A federal judge told Angela Dawn Roberts, also known as Angela Dawn Lee, 42, of Stephenson, Virginia, to 5 years probation. She was also told to pay $22,000 in restitution.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes