Disclosure of PHI to an Undercover FBI Agent by Physicians and Multiple Lawsuits Filed Against Harvard Pilgrim Healthcare

Mistrial Announced in Criminal HIPAA Prosecution of Doctors Who Shared PHI with Undercover FBI Agent

The prosecution of two physicians charged with criminal HIPAA violations and conspiracy with the Russian government has led to a mistrial as the court cannot achieve a unanimous guilty decision. 37-year-old Dr. Anna Gabrielian, an ex-anesthesiologist at Johns Hopkins, and her husband, 40-year-old Jamie Lee Henry, a physician, and U.S. Army Major earlier assigned at Fort Bragg, were prosecuted on September 28, 2022. They were charged with conspiracy to support Russia in attacking Ukraine and criminal HIPAA violations for wrongfully disclosing the personally identifiable medical data of people to somebody they considered to be a Russian representative.

In an 8-count indictment, allegedly, the couple planned to bring harm to the U.S. by giving the sensitive data of American citizens linked to the U.S. government and military to Russia. The data sharing began on August 17, 2022, when data was transferred to a person that they thought to be a Russian agent. The disclosures provided an affirmation of Henry’s secret-level security approval and the couple’s readiness to work alongside a Russian agent and give health data that could possibly be taken advantage of by the Russian authorities.

Gabrielian had sent an email using her work email account to the Russian embassy informing them that medical collaboration and humanitarian help is on the way, in response to the struggle with Ukraine. The FBI got the message and directed an undercover agent posturing as a Russian operative to talk with Gabrielian. Throughout the meeting, Gabrielian informed the agent that her spouse was a more valuable source for Russia because he got access to more useful data, then planned to speak to the undercover agent with her spouse.

The undercover agent stored over 5 hours of conversations concerning the compilation of meetings including the couple’s wish to help Russia. Henry had attempted to join the Russian Army as a volunteer, but was refused due to his lack of combat experience. Henry made a decision to provide Fort Bragg patients’ medical records to the agent. In the next meeting, Gabrielian provided the agent with the medical data of two individuals, a husband or wife of a worker of the Office of Naval Intelligence. Gabrielian mentioned he had a health and fitness stone problem that Russia could take advantage of. Henry gave the information of five military veterans or those related to military veterans. The two are facing a sentence of up to 10 years imprisonment for the criminal HIPAA violation, which is accessing and sharing health records with no permission, and up to 5 years imprisonment for the conspiracy allegation.

During the court trial, Gabrielian stated that she provided the information because she was fearful for her life and those of her family living in the U.S. and Russia in case she didn’t cooperate. She similarly stated that she noticed the agent used a camera and asked if she was being recorded, so she thought she was in danger. That is the reason she provided the agent with the two records but supposed the records would not be useful to the Russian government, as were the data given by Henry.

The doctors’ legal team contended that although the agent didn’t overtly threaten them, and merely suggested that they are with the KGB, the physicians were frightened of what could occur if they refuse a KGB operative and mentioned their goal was just to help treat the sick and wounded, reasoning that this was a crime made up by the U.S. federal government. The prosecution asserted that the two physicians wished to be Russia’s long-term weapons and there was no value to the claims that the FBI entrapped them.

After two and a half days of trial, the jury advised U.S. District Court Judge, Stephanie Gallagher, that they could not get to a unanimous decision since one juror believed the FBI entrapped the physicians, so Gallagher had no option except to declare a mistrial. It is expected to have a retrial as per the U.S. Attorney’s Office.

Multiple Lawsuits Against Harvard Pilgrim Healthcare & Point32Health Due to Ransomware Attack

Multiple class-action lawsuits had been filed against Harvard Pilgrim Health Care and its parent company, Point32Health, related to the exposure of the protected health information (PHI) of over 2.5 million people in a ransomware attack in April 2023.

Point32Health is the second biggest insurance company in Massachusetts and has over 2.4 million clients. Point32Health was created right after the merger of Tufts Health Plan and Harvard Pilgrim Health Care in 2021. As per Point32Health, hackers got access to Harvard Pilgrim’s systems from March 28, 2023 to April 17, 2023, when the company detected the attack and blocked it. The attack was noticed because ransomware encrypted files and prevented access. It was confirmed by the forensic investigation that the breached systems included PHI like names, telephone numbers, addresses, birthdates, Social Security numbers, provider taxpayer ID numbers, medical insurance account data, and clinical data. The hackers extracted the files containing that information from its systems. The affected individuals received free credit monitoring and identity theft protection services for two years. The IT team is working on recovering from the attack during the last 7 weeks; getting back the systems of the Harvard Pilgrim Health Care commercial and Medicare Advantage Stride health plans online will take a few more weeks.

Because of the attack, there are 4 lawsuits already filed in the U.S. District Court for the District of Massachusetts claiming the Massachusetts health insurance company did not apply proper cybersecurity measures to protect the confidentiality of members’ data. Harvard Pilgrim Health Care member, Valeria Salerno Gonzales, filed one
lawsuit, Salerno Gonzalez v. Harvard Pilgrim Health Care Inc. et al, where the defendants are alleged to have “intentionally, willfully, recklessly, or negligently” maintained the sensitive information of customers. Therefore, hackers gained access to and stole the sensitive information of plan members. The lawsuit claims the plaintiff and class members are facing an impending risk of harm and identity theft and fraud. The lawsuit allegations include negligence, breach of fiduciary duty, unjust enrichment, and breach of implied contract.

Harvard Pilgrim Health Care plan member, Tracie Wilson, filed another lawsuit, Tracie Wilson v. Harvard Pilgrim Health Care, Inc. and Point32Health, Inc., which makes the same claims and HIPAA Security Rule violations. The lawsuit additionally raised the issue of the long time it took for the defendants to identify and report the incident. The delay in turn resulted in not taking immediate action to protect the plan members’ sensitive data against identity theft and fraud. The plaintiff claims to receive more spam texts and telephone calls after the data breach and has spent more time and effort tracking her accounts to safeguard against identity theft. She likewise claims she has suffered anxiety, stress, fear, sleep disruption, and frustration as a result of the data breach.

The lawsuits want class action status, damages, injunctive relief, declaratory and other equitable relief, and a jury trial. There is also a call for a court order to stop the defendants from engaging in more deceptive practices and to demand that they implement acceptable security measures and cling to FTC guidelines.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone