FL: Last of five pleads guilty in medical ID theft tax fraud, but questions about the breach remain
Wayne K. Routon reports:
The last of five people accused of tax refund fraud involving identity theft from medical records pleaded guilty Friday for his role in the scheme, U.S. Attorney Wifredo A. Ferrer said.
Michael Ali Bryant, Sr., 41, of Lauderdale Lakes, faces up to 12 years in prison at his sentencing scheduled in April, prosecutors said.
A confidential informant approached Bryant to buy drugs through Bryant’s connection to a medical service provider. Bryant said he had no access to any drugs but he could sell medical records containing the personal information of hundreds of patients that could be used to file fraudulent income tax returns, according to court documents.
Bryant sold the source 10 pages with up to 25 names on each and gave specific instructions on how to file the tax returns online to get tax refunds in the patients’ names without their knowledge, the court records showed.
Read more on the Orlando Sentinel. Once again, the name of the medical entity was not disclosed, although the name of the employee in the medical practice was – Angela Dione Rosier. When Rosier was charged, the government issued a press release about 47 defendants charged in 30 separate cases. That release stated:
Defendants Marquis Onigirin Moye, 24, of Pompano Beach, and Angela Dione Rosier, 41, of Coral Springs, were charged by criminal complaint for their participation in a stolen identity fraud scheme.
According to the complaint, Rosier worked for a company that performed medical laboratory tests where she had access to medical records with names, dates of birth, and Social Security numbers (personal identity information or “PII”) of individuals in the course of her employment with that company. During the conspiracy, Rosier provided access to the company’s database which allowed other coconspirators to steal PII from the company. Found on the computer of one of the coconspirators was the PII of over 1,300 individuals. Rosier knew that her co-conspirators would use the PII for fraudulent purposes. Moye also obtained information from the company’s database, which he used to obtain credit cards and other identification in the name of a patient.
The complaint provides additional information about the provider:
In May of 2012, law enforcement began investigating the cocaine-trafficking activities of Target Defendant #1. Based on the investigation, including a controlled purchase of personal identification information (”Pll”) and a search warrant that was executed at the home of Target Defendant #1, law enforcement agents obtained documents containing hundreds of names, addresses, dates of birth, and social security numbers. Examination revealed that each page was titled “Patient List.” Each page was numbered and at the bottom of each page there was a Uniform Resource Locator (“URL”) along with a date of “6/19/2012.” The URL indicated that the pages were from a specific medical services provider (hereinafter the ”provider”). The contents of each page was a spreadsheet listing the patient’s social security number, the patient’s full name, the patient’s date of birth, the patient’s address, and various billing information. Law enforcement agents subsequently determined that the PIl had been obtained from the provider.
The provider is a medical services company that is headquartered in the State of New York and has a local oftice located in Delray Beach, Florida. The provider perfonns at-home medical services for patients in South Florida, and in the New York area.
On July 30, 2012, law enforcement agents met with the provider’s management to notify them of the illegal intrusion into their computer network and subsequent theft of PlI. The management for the provider immediately took precautionary steps to prevent further intrusions by changing the username and passwords of their employees. Management for the provider also subsequently identitied an IP address that was continuing to access their networks without authorization. Law enforcement agents were later able to trace the IP address to the residence of Target Defendant #2, a former employee of the provider who was fired on October 28, 2011.
On July 31, 2012, management for the provider became aware that the same IP address was unsuccessfully attempting to gain access to their network with an assortment of different username and password combinations. On August 2, 2012 additional unsuccessful logon attempts were made from the same IP address before an eventual successful logon at 9:57 p.m. using the username and password of a current employee. The employee was subsequently interviewed by law enforcement agents and was eliminated as a conspirator in the investigation.
On August 23, 2012 a search warrant was conducted at the residence of Target Defendant #2 in Deerfield Beach, Florida. Evidence seized from Target Defendant #2’s residence included a computer that was later found to contain PIl of over 1,300 individuals. The Pll was identified as belonging to patients of the provider and was found to have been accessed from the provider’s network aher October 28, 2012 (sic), the date that Target Defendant #2 was fired.
A public records search indicates that Rosier worked for Apex Laboratory, Inc. Apex Laboratory is headquartered in New York and has locations in Florida. They provide in-home medical services for patients. PHIprivacy.net emailed Apex Laboratory on three occasions over the past 4 days to ask for a statement about the breach and whether this breach was ever reported to HHS, as it does not appear on their breach tool and an HHS spokesperson informs PHIprivacy.net that it never received any breach notification from Apex Laboratory. As noted previously on this blog, Apex Laboratory did send breach notifications to patients in September 2012, so it does appear to be the same breach described in court records.
Tiffany Shenae Cooper was also a defendant in the conspiracy, as reported by the Orlando Sentinel:
Tiffany Shenae Cooper, 33, of Deerfield Beach, actually persuaded Rosier to give her the names and passwords of fellow employees, record showed.
Cooper admitted to using the employee passwords to illegally log on to the medical services provider’s computer network to download patient information for various types of fraud, prosecutors said.
According to the factual proffer offered in her court case:
In July of 2012, agents contacted the Provider regarding potential breaches of their computer system . In an attempt to halt the breaches to the security system , the Provider directed all of its employees to change their passwords. Further investigation revealed that a computer whose internet protocol address (“lP”) address was registered to the family member of the defendant, who was a former employee, had repeatedly remotely logged onto the Provider’s patient database.
A search warrant executed in August 2012 “led to the seizure of numerous papers and item s relating to identity theft including: a desktop and a laptop computer (analysis revealed PII of 1,308 individuals – PII accessed from the Provider’s network after the defendant was fired by the Provider); computer printouts from the Provider consisting of PII for 19 individuals; handwritten notations containing PII for 21 individuals; eight debit or credit cards not in the nam e of the defendant.
When interviewed, Cooper stated that she was assisted in her activities by Rosier and Moye. Cooper admitted to providing MOYE with PII from the Provider, and estimated that she had given MOYE no more than 50 patient names. Moreover, the defendant explained that on August 2, 2012, following the change in username and password by a current Provider employee, the defendant contacted ROSIER via ROSIER’S cellular telephone, and asked ROSIER to obtain a new username and password for the Provider’s computer network. ROSIER subsequently provided the username “Latoya” and password “Toya3737.”
So it appears that the provider (Apex Laboratory Inc.) had at least one former employe involved in the scheme to steal patient information for a tax refund fraud scheme.
As noted above, there has been no breach notification to HHS by Apex Laboratory Inc., and one question is, shouldn’t there have been?
CORRECTION: A previous version of this post incorrectly questioned whether Apex had notified patients. I should have searched my own site, as I was the one who reported that they had back in September 2012. My apologies to Apex Laboratory for my failing memory and error.