A recent report titled “Jail Terms for HIPAA Violations by Employees,” released by HIPAA Journal on March 22, 2018, details two separate instances of insider theft involving Protected Health Information (PHI) by employees in the healthcare industry. Both incidents will result in jail time and restitution fines for the breaches.

The first reported incident was by a former employee of the Transformations Autism Treatment Center (TACT) in Memphis, TN. Jeffrey Luke, who previously worked as a behavioral analyst for the center, was found to have intentionally stolen the PHI of patients. Following his termination from TACT, Luke illicitly accessed a company Google Drive account with the sensitive health information of 300 patients, both current and former, and downloaded the information onto a personal computer. It is suspected that Luke hacked the Google Drive account in order to gain access to the PHI of the TACT patients. It was discovered that this was not the first instance of insider data theft by Luke. Law enforcement identified additional stolen data on his personal computer of personal patient information from a former employer in the health and wellness field.

Luke was sentenced to 30 days in jail with a 3-year supervised release sentence to follow. Accompanying the jail time Luke was ordered to serve, he is also responsible for $14,941.36 in restitution for his crimes.

The second incident of insider theft involved a former employee of a St. Louis County, MO NHC Health Care nursing home. Shaniece Borney, employed between 2016 and 2017, is responsible for the theft of credit card numbers during her employment with the organization. Borney has not been sentenced, but is facing a jail sentence up to 10 years with a fine that could be anywhere up to $250,000 in restitution to the victims of her crime.

Of Luke’s case, HIPAA Journal stated:

This case sends a message to healthcare employees considering stealing healthcare data to sell, use, or pass on to a new employer, that data theft carries stiff penalties. While Luke will only serve 30 days in jail, he will have a criminal record which will hamper future employment.

Healthcare organizations should also take precautions to minimize the opportunity for ex-employees to access PHI remotely after they have left employment. When an employment contract ends, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.

Certainly, these actions are meant to make a splash among healthcare employees, letting the industry know that enforcement is being taken very seriously.

HIPAA Violation Enforcement

Since the Enforcement Final Rule of 2006 was put into place, violations can be penalized by the Department of Health and Human Services’ Office for Civil Rights (OCR) with financial repercussions for any covered entity that fails to comply with HIPAA rules. With the Omnibus Rule that took effect in March, 2013, those financial penalties now extend to not only the healthcare industry, but also apply to any covered entity, including business associates (BAs) of those covered entities that must be in compliance with HIPAA rules.

Penalties for HIPAA violations are something that professionals in the healthcare industry are constantly hearing warnings for. But for many, they feel like distant threats that loom in a nonreality. While there is constant talk circulating around HIPAA violations in the media and healthcare networks, it is still poorly misunderstood among the larger community what actually constitutes a breach.

For those that need a not-so-subtle reminder, a violation is considered to have occurred when a covered entity or business associate does not comply with any one (or more) of the strict HIPAA Privacy, Security, or Breach Notification provisions which are clearly outlined.

Whether deliberate, as in the case with the two offenders who will be serving jail sentences for theft of PHI, or accidental, this latest demonstration of discipline proves that the OCR is serious about the consequences for violating the rules and regulations that are meant to keep the privacy of patients safe and secure. The healthcare industry should feel the impact of the penalties and do everything in their power to ensure that they have capable, trustworthy, and informed staff members to care for patients.

Digital Forge offers cybersecurity assessments and packages that meet the individual needs of every business, no matter your size or industry. Contact us today for more information. Call us at (877) 369-1831 or email info@dfcyber.com.