Yesterday I read about the 7th criminal conviction and sentencing that has been given under HIPAA, “Woman gets 14 months in ID theft case.”
Leslie A. Howell, who worked at an Oklahoma City counseling center was sentenced to 14 months in prison for violating HIPAA by giving patient files to Ryan Jay Meckenstock and Nicole Lanae Stevenson who used the personally identifiable information (PII) to “to make counterfeit identification papers that helped them obtain merchandise and credit from a number of retailers.” Howell was given a 14-month prison term.
Meckenstock and Stevenson were sentenced to prison terms earlier this year.
Here are the other HIPAA convictions that have been made so far, in chronological order:
1.
In August, 2004, a federal prosecutor in Seattle, Washington was the first to prosecute a criminal HIPAA violator, phlebotomist, Richard Gibson, who was an employee of the Seattle Cancer Care Alliance, a treatment center for cancer patients.
2.
In March of 2006 the U.S. Attorney’s Office in Houston convicted physician practice employee, Liz Arlene Ramirez, for selling the individually identifiable health information an FBI agent to a drug trafficker and in exchange for $500. The court sentenced Ramirez to serve six months in jail followed by four months of home confinement with a subsequent two-year term of supervised release and a $100 special assessment.
3. & 4.
These criminal convictions included the first HIPAA criminal cases to actually go to trial. In January, 2007, Isis Machado, an employee at the Cleveland Clinic in Weston, Florida, was charged with obtaining computerized patient files, downloading individually identifiable health information of over 1,100 Medicare patients, and then selling the information to her cousin, Fernando Ferrer, Jr., the owner of Advanced Medical Claims in Naples, Florida. Ferrer then used the information to submit approximately $2.8 million in fraudulent Medicare claims. Machado and Ferrer were charged with one count of conspiring to defraud the United States, one count of computer fraud, one count of wrongful disclosure of individually identifiable health information (a HIPAA violation), and five counts of aggravated identity theft.
5. & 6.
Meckenstock and Stevenson, mentioned earlier, used names, social security numbers, and other identifying information obtained from Howell as well as from stolen/discarded mail, internet searches, credit reports, and car burglaries, to produce counterfeit identification documents (IDs). “These counterfeit IDs were used to obtain merchandise and credit from various merchants. Meckenstock and Stevenson were in possession of approximately 150 counterfeit drivers’ licenses and 68 counterfeit social security cards. Meckenstock was sentenced to serve 119 months in federal prison. Stevenson was sentenced to serve 168 months in federal prison. Each defendant was ordered to pay $101,896.39 in restitution to their victims.” Meckenstock and Stevenson were sentenced to prison terms earlier this year.
7.
Leslie A. Howell, discussed at the beginning of this post.
There still has been only one sanction given for HIPAA noncompliance, which I discussed here.
Tags: awareness and training, Health Insurance Portability and Accountability Act, HIPAA, identity fraud, identity theft, Information Security, insider threat, IT compliance, IT training, Jay Meckenstock, Leslie A. Howell, Nicole Lanae Stevenson, policies and procedures, privacy training, risk management, security training