To serve as a deterrent, the penalties for HIPAA violations can be severe. Violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. This month has seen two notable cases of HIPAA violations by employees. One of which has resulted in a fine and imprisonment, with the other likely to result in a longer spell in prison when sentencing takes place in June.
The first case saw Jeffrey Luke, a former behavioural analyst at the Transformations Autism Treatment Center (TACT), stealing the protected health information of patients following. His contact with the facility had already been terminated at the time of the theft.
Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients and downloaded the PHI of 300 current and former patients onto his personal computer.
Nearly a month later, TACT discovered patient information had been remotely accessed and downloaded. An investigation was launched into the theft, and law enforcement was notified. Due to the nature of the crime, the FBI were later alerted. The investigators followed the IP address that accessed the files, which led them to Luke’s residence. A search of the property uncovered a computer containing stolen electronic patient records and TACT forms and templates.
TACT has acted according to HIPAA Rules following Luke’s termination; his access rights to Google Drive had been revoked, and he should not have had access to patient information. However, after termination, Luke had gained access to a shared Google Drive account and authorised access from his personal Gmail account.
Investigators were unable to ascertain exactly how that was achieved after his access rights were terminated. Court documents say Luke hacked the account and law enforcement found evidence Luke had researched how to gain access to the data.
It was revealed that this was not the first time that Luke had stolen data from an employer. His computer also contained patient data from another former employer – Somerville, TN-based Behavioral and Counseling Services.
In court, Luke pleaded guilty to the charges and was sentenced to 30 days in jail and 3 years of supervised release. Luke was also ordered to pay $14,941.36 in restitution to the victims of the theft.
Although TACT had taken measures to prevent Luke from accessing patient data, it was not enough. Healthcare organisations should also take precautions to minimise the opportunity for ex-employees to access PHI remotely after they have left employment. When an employment contract ends, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.
The second case involves a former employee at a nursing home in St. Louis County, MO, who has pleaded guilty to the theft of credit card numbers belonging to the patients.
Shaniece Borney, 29, of St. Louis County, was employed at a NHC Health Care nursing home between 2016 and 2017. While employed at the facility, Borney had access to a computer system which stored the payment information of customers. Borney abused her access to the computer system and stole the credit card details of patients. The credit card details were used for malicious personal gain, with Borney making purchases for herself and family members.
Borney will be sentenced in June this year. She faces up to 10 years in jail and could be fined up to $250,000 and will be required to pay restitution to the victims of the fraud.