6 Plead Guilty in Criminal HIPAA Scheme at Health EntityDefendants Include 5 Former Hospital Financial Counselors
Six individuals - including five former employees of a Tennessee healthcare organization - pleaded guilty to criminal HIPAA violations in an alleged scheme involving the sale of motor vehicle accident patient information to third parties.
The five former workers at Methodist Le Bonheur Healthcare in Memphis each recently entered guilty pleas in a Tennessee federal court for charges of unlawfully disclosing patient information in violation of HIPAA, the U.S. Department of Justice announced Tuesday.
Prosecutors allege that the workers provided the patient information to a sixth individual, Roderick Harvey, who sold it to third parties including personal injury attorneys and chiropractors. Harvey pleaded guilty on Friday to conspiracy to violate HIPAA (see: 5 Hospital Workers Charged With Selling Patient Information).
The Justice Department alleges that between November 2017 and December 2020, Harvey paid the MLH workers for names and phone numbers of patients who had been involved in motor vehicle accidents.
Harvey faces a maximum penalty of five years in prison, a fine of $250,000 and three years of supervised release. His sentencing is set for Aug. 1.
MLH told Information Security Media Group that under 1,500 patients were affected by the scheme. The organization notified each individual whose information had been compromised and reported the breaches to the federal regulators, MLH says.
The hospital says it has since implemented a monitoring and auditing system for its patient registration process.
Four of the MLH employees worked as financial counselors, while the fifth held a variety of roles, including PBX unit secretary, according to court documents. The longest-tenured employee, Sylvia Taylor, worked in the hospital's emergency room as a financial counselor for 18 years, court documents show.
Co-defendant Kirby Dandridge received a sentence of one year of probation and a $2,500 fine.
The other defendants - Taylor, Adrianna Taber, Kara Thompson and Melanie Russell - each face a maximum penalty of one year in prison, a $50,000 fine, and one year of supervised release for each HIPAA violation. They are scheduled to be sentenced in May and June.
Judges appear to be taking a harder line against criminal HIPAA violators.
Two defendants in another HIPAA criminal case prosecuted in Texas received 48 months and 30 months in prison, respectively (see: Second Defendant Sentenced in EHR-Related Fraud Case).
Combating the misuse of patients' protected health information is becoming a higher priority for regulators and law enforcement, said regulatory attorney Rachel Rose, who was not involved in either case.
"Four years is a significant sentence in light of the statute, as well as the federal sentencing guidelines," Rose said.