Prison Time for Scheme to Frame Nurse for HIPAA ViolationsGeorgia Man Sentenced in 'Whistleblower' Privacy Case Involving Fake Claims
A Georgia man has been sentenced to federal prison in an unusual case in which he portrayed himself as a whistleblower while falsely reporting to authorities that a hospital worker committed criminal HIPAA violations.
On Tuesday, the Department of Justice said Jeffrey Parker of Rincon, Georgia, was sentenced to six months in prison after pleading guilty to one count of making false statements. Parker also was fined $1,200.
Prosecutors say Parker admitted that he “engaged in an intricate scheme” in October 2019 when he contacted the U.S. Justice Department, claiming that a former acquaintance who worked at an unidentified Savannah hospital had violated HIPAA's privacy provisions.
TV station website Fox28Media reported in January 2020 that the case kicked off in October 2019 after Parker contacted the station alleging that a nurse at the unnamed hospital violated HIPAA by emailing “graphic pictures” of patients treated at the hospital.
Parker agreed to a Fox28Media interview at the time, requesting his identity be hidden, calling himself a whistleblower and saying he feared for his safety, the news site reported. Authorities opened an investigation into the case after the news station reported the incident to law enforcement authorities.
Fox28Media reported that prosecutors later determined Parker’s motive “was all to implicate a former lover.”
In January 2020, Parker was charged with one count of making false statements and faced a maximum sentence of five years in prison and a $250,000 fine (see: Georgia Man Charged With Making 'Fake' HIPAA Violation Claims).
Court documents - which do not identify the targeted healthcare worker or the hospital by name - say Parker claimed the HIPAA violations involved the emailing of “graphic pictures” of traumatic injuries, including gunshot wounds.
"Parker created email addresses using the names of real individuals and pretended to be these individuals to make it appear as if the acquaintance committed a crime," prosecutors say.
"He sent the emails to the hospital where the acquaintance worked, to the DOJ, and to the FBI, and then claimed to have received threatening messages in retaliation for acting as a whistleblower. FBI agents quickly responded by acting to ensure Parker’s safety and investigate his allegations, and under subsequent questioning, Parker admitted concocting the scheme in an attempt to harm the former acquaintance."
Chris Hacker, special agent in charge of the FBI Atlanta, states: “Many hours of investigation and resources were wasted determining that Parker's whistleblower complaints were fake, meant to do harm to another citizen. Before he could do more damage, his elaborate scheme was uncovered by a perceptive agent and now he will serve time for his deliberate transgression.”
Detecting Insider Misdeeds
Insider threat experts urge organizations to create procedures for investigating cases.
"Organizations should have a defined and documented incident response capability in place to follow when an incident - internal or external - is suspected," says Randy Trzeciak, director of the CERT Insider Threat Center at Carnegie Mellon University.
The incident response process should include retrieving information, including logs, needed to confirm or deny that an incident occurred, he says.
Those logs can show whether an individual accessed or attempted to access a critical asset. The logs can also show if an individual modified information or exfiltrated data from a protected computer, he says.
That process also includes collecting and preserving all possible sources of evidence, including following a formal chain of custody, and involving law enforcement agencies when appropriate, Trzeciak says. "The forensic guidelines and procedures should be consistent with the organization’s policies and all applicable laws."
With a significant portion of the workforce now working remotely, he says, "an organization is potentially at higher risk of an insider incident if they are not able to implement the same security controls on the remote workforce. Requiring employees to access company resources only from a company-provisioned device and requiring all connections to corporate networks to be completed via encrypted sessions - for example, VPN - may reduce the risk of a malicious insider or nonmalicious insider incident."
Out for Revenge
Regulatory attorney Paul Hales of the Hales Law Group notes that disgruntled employees can become motivated to commit various misdeeds out of revenge against an organization rather than an individual, as in the Georgia case.
"Providers must make sure they keep good documentation to protect themselves from spurious claims," he says. "And now, when healthcare providers are overtaxed by treating COVID-19 patients, they should be especially vigilant in checking backgrounds of temporary staff they hire to meet increased demands."
Whistleblower protection laws are effective vehicles for exposing unlawful activity: They offer protection and rewards to insiders who have unique access to witness crimes, he says.
"A person acting in good faith who mistakenly reports misconduct is generally protected from retaliation. But one like Jeffrey Parker who intentionally makes a false report of misconduct is subject to criminal prosecution and civil recourse by the victim of their false claim."