Hospital Worker Charged in COVID Relief Fraud Case
Prosecutors Allege Patients' Information Used for Fake Unemployment ClaimsFederal prosecutors have charged a former Scripps Health employee in connection with an alleged conspiracy involving the theft of patient information that was then used to submit fraudulent unemployment claims under the COVID-19 relief program.
See Also: How to Take the Complexity Out of Cybersecurity
The U.S. Department of Justice in a statement on Thursday said it has charged nine San Diego county residents in two separate indictments with conspiracy to commit wire fraud and identity theft involving fraudulent pandemic unemployment insurance claims under the Coronavirus Aid, Relief, and Economic Security Act of 2020.
HIPAA Crimes
Matthew Lombardo, a former employee of Scripps Health, as well as three alleged co-conspirators - Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic, were all charged with conspiracy to commit wire fraud.
Lombardo, Piekos, and Genetti were also charged with aggravated identity theft.
In addition, Lombardo was charged with felony HIPAA violations for unauthorized disclosure of health information.
For the alleged HIPAA crimes alone, Lombardo faces a maximum penalty of 10 years in prison plus a fines. He has been arrested and is being held in custody.
Genetti was also charged with conspiracy to commit wire fraud, along with four other individuals, in a second case involving alleged drug crimes and identity theft.
In the DOJ's separate complaint related to the drug crimes case, prosecutors allege the wire fraud conspiracy involved over 108 separate CARESAct false claims that together paid out more than $1.6 million.
Traffic Stop
Court documents indicate investigators were led to the schemes after Piekos was pulled over by San Diego police in October 2020 while driving alone in vehicle without a license plate.
"As the deputies approached the vehicle, they observed an assault rifle in plain view," court documents note.
Upon making contact with him, Piekos admitted to possessing an un-registered assault rifle. A subsequent search of the vehicle led deputies to find several loaded firearms, loaded magazines, and approximately $40,000 in U.S. currency," court documents note.
Detectives subsequently obtained state warrants to search three cellular phones found at two of Piekos' residences. During a manual search of those phones, deputies allegedly discovered text messages between Piekos, Genetti and Lombardo discussing the illicit distribution of narcotics, firearms and a scheme to obtain unemployment benefits using other persons’ personal identifying information, court documents note.
Hospital Worker
Court documents do not name the organization that Lombardo worked for, identifying it as "S.H., a healthcare provider in San Diego County that operates multiple hospitals."
Scripps Health, in a statement to Information Security Media Group, confirmed that Lombardo was a patient services specialist employed on an "as-needed basis" from May 13, 2019 to April 14, 2021.
"He was terminated on April 14, 2021, for cause. Scripps takes its responsibility for protecting patient privacy very seriously and is cooperating with the government investigation," Scripps Health says.
Court documents note that the patient services representative job description posted on Lombardo's former employer's website describes the job duties as including meeting with patients to obtain identifying information and verify health insurance.
"The information Lombardo collected in that capacity includes name, age, date of birth, employment, and the reason the patient was seeking healthcare services," court documents note.
Prosecutors allege Lombardo, "while employed by a local hospital, stole confidential patient files, and provided them to co-defendants Piekos, Genetti, and Milosavljevic, to submit fraudulent claims for Pandemic Unemployment Insurance benefits.
Court documents provide examples of several fraudulent unemployment claims paid, exceeding a total of more than $100,000.
Text Messages
Prosecutors allege in the Lombardo case that messages in Piekos' phone show that he began providing Lombardo with patients' personally identifiable information on or before Aug. 15, 2020.
They also allege that Piekos instructed Lombardo to provide PII from persons "who were alive but gravely ill," allegedly reflecting Piekos' awareness that a deceased person’s PII is quickly entered into a government database that makes them ineligible for unemployment benefits.
Malicious Insider Safeguards
Regulatory attorney Rachel Rose says that the fraud case "underscores the need for comprehensive background checks and monitoring of employee access to PHI."
To help prevent illicit access and use of patient information by insiders, Rose says entities should implement physical safeguards such as cameras, software that blocks data from being downloaded onto a USB or other device, "and provide fraud, waste and abuse training so that other workforce members know to report suspect conduct to supervisors."
COVID-19 Fraud
"Fraud related to COVID-19 relief programs inevitable," notes former U.S. Department of Justice prosecutor Andrew Wirmani, who is now a white collar defense attorney at the law firm Reese Marketos LLP.
"It is always a good idea for providers to reassess and fine tune their security controls. The temptation to exploit COVID relief programs with patient information makes these proactive steps particularly important."
—Andrew Wirmani, Reese Marketos LLP
"With respect to the misuse of patient information in particular, the Justice Department has already prosecuted cases where defendants have gained access to beneficiary information through COVID-19 tests and then used that information to submit fraudulent claims for urine drug tests and other laboratory tests that were not ordered or performed," he notes.
"Patient information from prior COVID-19 testing has also been used to bill for medically unnecessary genetic tests and office visits that did not occur," he adds.
Wirmani predicts that the Justice Department will continue to prosecute similar cases involving COVID-19 fraud and the illegal use of patient information.
"It is always a good idea for providers to reassess and fine tune their security controls," Wirmani says. "The temptation to exploit COVID relief programs with patient information makes these proactive steps particularly important for providers to protect themselves from enforcement actions."
Rose and Wirmani will be speakers at the Aug. 17-18 ISMG Virtual Cybersecurity Summit: Fraud & Payments Security.