Medical office assistants charged criminally under HIPAA for their part in ID theft ring
A March 15, 2011 indictment of twelve defendants charged for their parts in an identity theft and bank fraud scheme has been unsealed. Two of the defendants, who worked for HIPAA-covered entities in Florida, and have also been charged with HIPAA violations.
According to the indictment, Erica Hall was employed by Dr. Linda Green in Coral Springs as an office assistant from March 16, 2009 until February 2, 2011. As an office assistant, she had access to patients’ names, dates of birth, Social Security numbers, and medical information. Hall is charged with providing the identity information to two of the other other defendants in the fraud/ID theft ring.
Also according to the indictment, Sharelle Finnie was employed by Dr. Linda Groene in Fort Lauderdale from January 8, 2009 to February 2, 2011 as a medical assistant. Finnie was authorized to access and copy patient face sheets containing patients’ names, dates of birth, Social Security numbers, and medical information. She, too, is charged with providing patient information to other defendants in the ring.
Both women are charged with transmitting “multiple patient files” to three other defendants in the case.
The conspiracy also allegedly involved an employee of the Broward County School Board who worked in the teacher certification department. In that capacity, Jasmin Rembert had access to sensitive personal identification information from teacher certification databases. Rembert allegedly stole personal identifying information of teachers, including names, dates of birth, and social security numbers, which she then provided to other defendants.
Another defendant was the alleged organizer and leader of the criminal organization. He was the ultimate recipient of the stolen information and would use the stolen identification information to fraudulently add himself, other defendants, and others as “authorized users” on the victims’ credit card and bank accounts. The defendants then used the stolen personal identification information to impersonate the victims and to deplete their bank accounts and incur credit card charges as high as $128,000 in one case.
As a reminder, an indictment is not the same as proven charges.
It is not clear when authorities – or the doctors employing the defendants – first became aware of the breach. Assuming that the number of patients affected in each doctor’s practice is less than 500, I wouldn’t expect to see any breach report to HHS on HHS’s breach tool, either. I find no statement on Dr. Green’s web site and cannot find any web site for Dr. Groene.
Criminal charges under HIPAA are fairly rare, and I’ll be following this case.