A former IT worker at a New Jersey medical centre has been sentenced to 5 years’ probation for the theft of IT equipment that stored patient protected health information.
Sergiu Jitcu, 39, of Saddle Brook, NJ, had previously been employed by Chilton Medical Center, a non-profit medical community hospital in Pompton Plains. NJ. On October 31, 2017, Chilton Medical Center learned that one of its hard drives had been sold on eBay. The purchaser discovered databases on the hard drive that appeared to include the protected health information (PHI) of some of its patients.
The local authorities were informed of the details of the incident, and a subsequent investigation revealed the hard drive contained the PHI of 4,600 patients who had received medical services at Chilton Medical Center between May 1, 2008 and October 15, 2017. The types of information on the hard drive included names, addresses, dates of birth, allergy information, medical record numbers, and medications.
The theft was reported to the Morris County Prosecutor’s Office . An investigation was launched, and Jitcu was deemed responsible for the crime. The Morris County Prosecutor’s Office Specialized Crime Division obtained a search warrant for Jitcu’s home and vehicle and recovered computer equipment and additional items that had been stolen from Chilton Medical Center.
Jitcu was charged and plead guilty to one count of computer criminal activity and one count of theft of computer equipment. The offenses occurred between January 1, 2015 and November 8, 2017.
The Honorable Stephen J. Taylor, P.J.S.C., of Superior Court of New Jersey in Morristown sentenced Jitcu to a non-custodial sentence of five years’ probation on the condition that ongoing restitution payments be made to Chilton Medical Center totalling $64,250.
In accordance with HIPAA’s Breach Notification Rules, the patients who had their PHI compromised by the incident were sent breach notification letters within 60 days of the breach being discovered. Affected patients have been advised to monitor their accounts for suspicious activity, and inform the relevant authorities if they suspect that they have been victims of identity theft.