Second Defendant Sentenced in EHR-Related Fraud CaseExperts Say Case Spotlights Critical Risk Management Issues
A second defendant has been sentenced for her role in a Texas conspiracy involving the theft of data from patients' electronic health records that was then sold to support fraudulent claims for payment.
Amanda Lowry of Sherman, Texas, was recently sentenced to 30 months in prison after pleading guilty last year to conspiracy to obtain information from a protected computer, the U.S. Department of Justice says.
“The defendant’s actions not only compromised victims’ sensitive information, exposing them to fraudulent schemes, but also ultimately resulted in unnecessary costs to federal healthcare programs,” said Nicholas Ganjei, acting U.S. attorney of the Eastern District of Texas.
Earlier this month, a co-conspirator in the case, Demetrius Cervantes, was sentenced to 48 months in prison after pleading guilty to the same charge as Lowry (see: Defendant in Stolen EHR Data Case Sentenced).
A third defendant, Lydia Henslee, pleaded guilty in March, but her sentencing date has not been set.
In a superseding indictment, Henslee was hit with 10 more charges, including nine counts of unlawfully transferring, possessing and using a means of identification.
The defendants in the fraud case "accessed a healthcare provider's electronic health records without authorization and obtained PHI and PII," the Justice Department tells Information Security Media Group.
Court documents do not identify the healthcare providers breached in the case or the defendants' employers.
The defendants "did not have authorization to access the computers that contained the patient information. The EHR system was accessed by the defendants, external individuals who did not have work-related access or authorization to access the system," prosecutors say.
Court documents do not provide details of how the defendants allegedly obtained the stolen patient information or how many patients' records were involved in the fraud scheme.
Prosecutors say the stolen patient information was “repackaged” in the form of false and fraudulent physician orders and subsequently sold to durable medical equipment providers and contractors. The defendants obtained more than $1.4 million in proceeds from the sale of the stolen information, which was then used to purchase sport utility vehicles, off-road vehicles, jet skis and other items, the Justice Department says.
Some experts say the case serves as a reminder of the importance of strong access management controls.
"Unauthorized access as a root cause of the theft of electronic protected health information in this case should raise three questions," says regulatory attorney Rachel Rose, who is not involved in the Lowry case.
"First, what technical access controls were in place and how often were they monitored - more importantly, how did this happen? Secondly, what do [an entity's] policies and procedures state in terms of prevention, detection and correction of a cybersecurity event? Third, is there a potential False Claims Act case and/or criminal action that could be brought in light of the circumstances?"
Larger Enforcement Trends
The fraud case spotlights "that the DOJ has made both cybersecurity and EHRs two areas of heightened enforcement action," Rose notes.
"With heightened scrutiny by DOJ, the Department of Health and Human Services and other government agencies, no one can afford to be either complacent or cavalier about ignoring their obligations to protect the privacy and security of PHI."
Rose will be a speaker at the Aug. 17-18 ISMG Virtual Cybersecurity Summit: Fraud & Payments Security.