Governance , HIPAA/HITECH , Privacy

Georgia Man Charged With Making 'Fake' HIPAA Violation Claims

Prosecutors: Defendant Reported Hospital Worker for HIPAA Crimes That Never Happened
Georgia Man Charged With Making 'Fake' HIPAA Violation Claims

In a bizarre "whistleblower" case, federal prosecutors have charged a Georgia man in connection with an alleged "intricate scheme" involving falsely reporting that a Savannah hospital worker committed criminal HIPAA violations.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

The U.S. Department of Justice says Jeffrey Parker, 43, who initially "claimed to be a whistleblower," has been charged with falsely reporting that a "former acquaintance" violated HIPAA by committing patient privacy violations.

According to court documents, Parker was charged with one count of making false statements. He faces a maximum sentence of five years in prison and a $250,000 fine.

"Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations," said U.S. Attorney Bobby Christine. "This fake complaint caused a diversion of resources by federal investigators as well as an unnecessary distraction for an important healthcare institution in our community."

The court documents do not identify the healthcare worker who was allegedly falsely accused by Parker or the facility involved, but they identify it as a hospital in Savannah, Ga. "with operations in Nashville, Tennessee and elsewhere."

Privacy attorney Kirk Nahra of the law firm WilmerHale notes: "HIPAA criminal cases tend to involve certain kinds of things - use of protected health information for a fraudulent kind of purpose, or some kind of malicious release to the media or otherwise. We have seen other cases that have been connected to broader kinds of healthcare fraud investigations. This one is pretty unusual."

Adam Greene, an attorney with Davis Wright Tremaine, says the case shows "the extent that HIPAA has entered the mainstream that we now have at least one case of someone allegedly fabricating a criminal HIPAA violation."

Messy Case

TV station website Fox28Media reported Wednesday that the case kicked off last October when Parker contacted the station alleging that a nurse at an unidentified Savannah hospital violated HIPAA by emailing "graphic pictures" of traumatic injuries, including gunshot victims, who were treated at the hospital.

Parker agreed to a Fox28Media interview in October, requesting his identity be hidden, "at that time calling himself a whistleblower saying he feared for his safety," the news site reports. "This has been going on for a long time, pictures sharing amongst employees and people that are outside the hospital," he reportedly told Fox28Media.

"The pictures he shared are very graphic, [and] after interviewing Parker, we contacted the U.S. attorney's office," Fox28 Media reports. Authorities then opened an investigation into the case.

Ex-Girlfriend?

A U.S. Justice Department spokesman declined to discuss details of the case beyond what appears in court documents, but says Parker is now cooperating with the investigation.

"While I have seen many employment cases center around whether someone actually violated HIPAA, this is the first time I have seen allegations that an individual falsified a claim of a HIPAA violation and brought it to law enforcement."
—Adam Greene, Davis Wright Tremaine

When asked by Information Security Media Group about Parker's potential motives, the spokesman referred to the Fox28Media account of the case. Fox28Media reports that prosecutors say Parker's motive "was all to implicate a former lover."

An attorney representing Parker in the criminal case declined to comment.

Elements of the Scheme

As part of the alleged scheme, Parker created email addresses using names of real individuals and pretended to be these individuals to make it appear as if the hospital worker committed a crime, prosecutors say. "He sent these communications to the hospital where the acquaintance worked, to the DOJ and to the FBI," prosecutors says.

Not much can be done to stop individuals from creating false email addresses, says Greene, the attorney. "Anyone can create a private commercial email account, as there is usually minimal identity verification during the process. The burden really falls on the recipient of an email to be cautious that private email accounts are often unverifiable."

In reporting what he portrayed as HIPAA violations, Parker said he had received threatening messages and told authorities "I am actually a bit frightened now for my safety," prosecutors say.

FBI agents took steps to ensure his safety and quickly investigate the alleged crime, court documents say. "After an FBI agent interviewing Parker found inconsistencies in his story, Parker admitted the statements he made and emails he sent were false," prosecutors say.

"Hopefully the quick uncovering of this alleged scheme by our investigators will send a message that these types of actions will be exposed and justice will be served," says Chris Hacker, special agent in charge at FBI Atlanta.

Unusual Case

Some HIPAA experts say the Georgia case is quite unusual.

"While I have seen many employment cases center around whether someone actually violated HIPAA, this is the first time I have seen allegations that an individual falsified a claim of a HIPAA violation and brought it to law enforcement," Greene says.

Independent HIPAA attorney Paul Hales notes: "Key takeaways are the FBI's speed in investigating the defendant's claim that someone committed a HIPAA crime and the Department of Justice's commitment to HIPAA criminal enforcement. The case stems from defendant's alleged attempt to cause trouble for a former acquaintance. But he left an electronic trail leading right back to him - and there is always an electronic trail."

Although it's not clear what the origin of photos the defendant used to try to frame his victim, Hales says "audit logs in the hospital's electronic health information systems record when any protected health information is accessed and by whom."

The case could potentially become even messier, Hales contends. "If [Parker] used real PHI to make his false statements, he may also have committed a HIPAA crime for which he may be charged."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.