Two Cases of PHI Theft by Healthcare Employees Severely Penalized

PHI Theft

Employees can be severely penalized for violating HIPAA rules especially if they are involved in the theft of protected health information. The fine for such violation can be as much as $250,000 plus a jail term of up to 10 years. Anyone guilty of aggravated identity theft will be in jail for at least 2 years.

There were two cases of HIPAA violations this month involving employees. One employee was fined and imprisoned. The other one will most likely spend a longer time in jail upon sentencing in June.

Transformations Autism Treatment Center (TACT) discovered in February that a Behavioral Analyst stole the protected health information of patients after he was terminated. Jeffery Luke, a 29-year old from Collierville, TN, had access to a TACT Google Drive account, which contained the PHI of 300 current and former patients. He downloaded the PHI to his personal computer after his termination.

TACT discovered the remote access of the Google Drive account and downloading of PHI about one month after Luke’s termination. The data breach was investigated and law enforcement including the FBI were notified. The investigators were able to trace Luke because of his IP address. A search of his house uncovered the computer with the stolen ePHI and some forms and templates from TACT.

TACT actually terminated Luke’s access rights to Google Drive when he left the company. His access to the Google Drive account was a surprise. According to court documents, Luke hacked TACT’s account. There was evidence found to show that Luke researched how to do the hacking to access the data.

Upon law enforcement’s investigation, they discovered that Luke also had stolen data from a previous employer, Behavioral and Counseling Services in Somerville, TN. Luke pleaded guilty to all the charges. His sentence was to spend 30 days in jail and 3 years of supervised release. He also paid $14,941.36 in restitution.

NHC Health Care nursing home had an employee named Shaniece Borney, a 29-year old from St. Louis County. She pleaded guilty to the theft of credit card numbers of the nursing home’s patients. Borney accessed the computer system of NHC Health Care between 2016 and 2017. She used the credit card details to purchase items for herself and her family. Borney’s sentencing will be on June 21, 2018. She’s expected to spend up to 10 years in jail and to pay $250,000 as fine plus restitution to the victims of the fraud.

These two cases serves as a warning to healthcare employees who have plans of stealing healthcare data. The penalties can be severe. Even though Luke’s penalty seems light, his criminal record will impede future employment. Healthcare organizations also need to take the necessary steps to block terminated employee’s access to all systems. Passwords on shared accounts should be changed promptly.