Prison Time for Health Data TheftEmergency Department Staffer Sold Patient Info
A former Florida Hospital Celebration emergency department registration clerk has been sentenced for selling patient information he improperly accessed in a breach of thousands of patient records.
See Also: Data Center Security Study - The Results
Dale Munroe II was sentenced on Jan. 18 to 12 months and one day in federal prison. He had been accused of inappropriately accessing 760,000 electronic health records and then stealing and selling information about 12,000 motor vehicle accident patients to a co-conspirator, who used the data to solicit legal and chiropractic business.
In addition to the prison time, Munroe, who pleaded guilty on Oct. 22, 2012, to one count each of conspiracy and wrongful disclosure of identifiable health information, was also sentenced to serve a two-year term of supervised release. He had faced a potential maximum penalty of 15 years in federal prison.
Two co-conspirators in the case, who also pleaded guilty, await sentencing.
Authorities alleged that from 2009 until his termination from the hospital in July 2011, Munroe used a computer at Florida Hospital Celebration to access emergency department records from multiple Florida Hospital locations. Florida Hospital is a delivery system with 22 sites in the state (see: Selling Records for Profit Alleged).
Security experts say healthcare organizations can take several steps to help minimize the risk of identity theft. Those include auditing and monitoring worker activity, restricting staff access to patient information and ramping up employee training (see: Preventing Insider Medical ID Theft).
The FBI, in a statement about the ID theft case said Sergei Kusyakov, who was involved with the operation of two Florida chiropractic centers, used the stolen information with other co-conspirators to solicit patients for legal and chiropractic services.
Kusyakov on Jan. 7 pleaded guilty to one count of conspiracy and four counts of wrongful disclosure of individually identifiable health information. He faces a maximum penalty of 45 years in federal prison. His sentencing hearing is March 25.
Meanwhile, Munroe's wife Katrina, a former insurance worker at Florida Hospital Celebration, faces a possible five-year federal prison sentence for her part in the conspiracy. Authorities allege that about a week after Dale Munroe's termination from his job, Katrina Munroe was recruited by the conspirators to take over the role of stealing patient data and providing it to Kusyakov.
In August 2012, Katrina Munroe was fired from her position at the hospital, after becoming a suspect in the data breach incident. In December 2012, she pleaded guilty to her role in the conspiracy. Her sentencing hearing is March 11.
Florida Hospital did not respond to HealthInfoSecurity's request for comment.
Addressing Insider Threats
"Preventing these kinds of breaches takes people, processes, and technology," says Stephen Wu, partner at the law firm Cooke, Kobrick & Wu LLP. That includes having manpower to investigate signs of potential breaches; policies and procedures about who can access patient data; and technologies such as auditing and monitoring software that helps identify unusual user behavior, he explains.
"If a user went from accessing a database 30 times a day to thousands of times a day, that's something that needs review," he says. "A software program can set off an alert of unusual activity, but it needs to be followed up."
David Harlow, a healthcare attorney and founder of The Harlow Group LLC consulting firm notes: "Training and re-training of employees also is a critical ID theft deterrent. "This highlights the rules and regulations - including consequences and penalties for inappropriate or illegal activity."