Hospital Insider PHI Theft Case: Lessons to LearnExperts Offer Insights on Preventive Measures
A case involving alleged insider theft of protected health information from a hospital in New York illustrates why healthcare organizations need to take extra precautions to prevent similar incidents.
Key insider theft prevention steps, some security experts say, include conducting an enterprisewide risk assessment, adequately vetting staff members who have access to PHI and implementing behavioral analytics to track unusual access to patient information.
In court papers filed in a U.S. federal court in New York, prosecutors alleged that Orlando Jemmott, a former emergency department clerk at Kings County Hospital in Brooklyn (owned by of NYC Health + Hospitals) from December 2014 to June 2017, "obtained individually identifiable health information relating ... and disclosed [it] to another person, under false pretenses and with the intent to sell, transfer and use said individually identifiable health information for personal gain."
Jemmott was arrested in February and released on $80,000 bond in April. His alleged accomplice - Ron Pruitt - to whom Jemmott allegedly sold the PHI, was arrested in August and was released on his own recognizance.
Both are now negotiating plea agreements, a spokesman for the Department of Justice in the eastern district of New York, which is handling the cases, tells Information Security Media Group. No further court dates are yet scheduled, the spokesman says.
Jemmott was employed by the hospital from March 2006 to April 2018, according to complaint documents filed in the cases. As part of his responsibilities as an ER clerk, Jemmott had authorized access to limited PHI needed to input patients' demographics into the hospital's system and to assist in presenting patients' symptoms and complaints, court documents say.
"Emergency department clerks did not need to access PHI beyond these circumstances. Moreover, emergency department clerks are not permitted to print electronic medical records," court documents note.
Prosecutors say that in approximately June 2017, the FBI received information from an individual who said she discovered in 2015 that Jemmott was allegedly stealing PHI and other patient-related information from the hospital and selling this information to another person - later identified by law enforcement as Pruitt.
With a warrant, law enforcement conducted a search of Jemmott's cell phone, finding "hundreds of WhatsApp and text message communications from approximately December 2014 to April 2015 between Jemmott and a telephone number belonging Pruitt," court papers say.
The device communications indicated that Jemmott provided Pruitt with more than 180 combinations of names and phone numbers via WhatsApp, an end-to-end encrypted messaging application, court papers say.
In these communications, Pruitt also solicited Jemmott for additional combinations of names and phone numbers, prosecutors allege.
Law enforcement officers have uncovered the full identities of at least 100 of these individuals, court documents say. The hospital has confirmed that at least 98 were patients near the time of the related messages from Jemmott to Pruitt, court papers says. "The hospital has also confirmed that [Jemmott] electronically accessed the private health records of at least 88 of the 98 confirmed patients in violation of the hospital's rules and regulations before sending the patients' names and telephone numbers to Pruitt."
Additionally, court documents indicate that hospital officials confirmed that paper documents that were provided to law enforcement by the individual who alerted authorities, dated from December 2016 to June 2017, contained PHI obtained from the electronic health records of at least 49 individuals who were patients at the facility.
In a statement provided to ISMG, Sheldon McLeod, CEO of NYC Health + Hospitals, which runs Kings County Hospital, says the organization is cooperating with federal officials.
"We have zero tolerance for anyone who intentionally violates our patient privacy rules. The privacy of patient information is an important foundation for the care we provide," McLeod says.
Jemmott was terminated from his job on April 9, the hospital says.
Court documents do not indicate whether the PHI allegedly provided by Jemmott to Pruitt was used in other criminal activities.
The hospital did not provide a comment on steps it's taking to prevent other insider theft incidents.
Lessons to Learn
Other healthcare entities can learn some important lessons from the Kings County Hospital case, including the need to make insider data theft prevention a higher priority.
"This case is a glaring example of failure caused by organizations that rely on policies and procedures alone to safeguard the confidentiality and integrity of sensitive personal information," says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"It is crucial that organizations have technology for user and entity behavioral analytics that provide powerful tools to identify when insiders are using or disclosing PHI by monitoring staff and physicians across information systems, endpoint devices or embedded applications and networks," he says.
"Any organization creating or maintaining sensitive personal information should perform an enterprisewide risk assessment to identify the threats and vulnerabilities to the confidentiality, integrity and availability to the data," Holtzman adds. "Use the risk assessment to develop a plan of action that prioritizes those areas that pose the highest risk of compromise to the information system. Make it a management imperative in your organization to follow through on investment and attention to information security."
The New York case also is a reminder that all healthcare entities should carefully vet workers who have access to patient information, says attorney Jay Kramer, a partner at the law firm Lewis Brisbois who is a former FBI agent.
"One of the key takeaways for employers is the critical importance of establishing appropriate policies and procedures for onboarding new employees," he notes. "Employees who are given access to sensitive or regulated data sets should be provided training on the appropriate use, handling and transfer of that data."
Employers also should require their employees to sign acknowledgements regarding the appropriate use of sensitive data, Jemmott says. Doing so, he says, makes it "much easier to take employment action - or law enforcement action, when necessary - to address rogue employees."
"We're living in a digital age, and the FBI and its partners have become increasingly adept at using the legal process to obtain digital communications."
—Attorney Jay Kramer
Commenting on the PHI allegedly found on Jemmott's cell phone, Kramer notes: "We're living in a digital age, and the FBI and its partners have become increasingly adept at using the legal process to obtain digital communications. The lawful collection and analysis of these records can reveal significant evidence of criminal activity, since bad actors routinely discuss elements of their crimes on platforms that believe are out of the reach of law enforcement."
Investigations into cases involving potential violations of HIPAA sometimes lead to the discovery of other crimes as well, Holtzman notes.
"U.S. attorneys have great discretion in investigating, enforcing and resolving criminal cases under the HIPAA statute," he says. "What we have seen to date is that most HIPAA violations are prosecuted as a lesser offense, including other crimes like healthcare fraud, activity involving cybercrimes, or threats to a law enforcement officer or public official."