HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

5 Year Jail Term Upheld for Clinic Worker Who Stole PHI

A clinic worker who stole the protected health information of mentally ill patients and sold the data to identity thieves has failed to get his 5-year jail term reduced.

Jean Baptiste Alvarez, 43, of Aldan, PA, stole daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility in Philadelphia. The census sheets contained all the information needed to steal the identities of patients and submit fraudulent tax returns in their names – Names, Social Security numbers, dates of birth and other personally identifiable information.

Alvarez had the opportunity to steal the data undetected, as the floor where the sheets were kept did not have security cameras.

Alvarez was paid $1,000 per census sheet by his to-co-conspirators, who used the information to submit 164 fraudulent tax returns in the names of the patients, resulting in a loss of $232,612 in tax revenue for the IRS.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

In early 2016, Alvarez was found guilty of conspiracy to defraud, misuse of Social Security numbers, and aggravated identity theft. The latter carried a minimum sentence of 2 years. The maximum sentence for all counts was 24 years in jail, a maximum of three years of supervised release, and potentially a fine.

Judge Michael M. Baylson invoked the vulnerable victim enhancement, and Alvarez was sentenced to 5 years in jail for his crimes, 3 years of supervised release, was ordered to pay $266,985 in restitution, and a $500 special assessment fine.

Alvarez appealed the sentence claiming it was excessively harsh as his victims were not “vulnerable.” He also explained that he did not target the patients because they were mentally ill and had drug addiction issues. He only stole the information because he had access to it.

However, the U.S. Court of Appeals for the Third Circuit rejected his appeal to have the sentence reduced, ruling that Alvarez’s argument was without merit. The victims were suffering from mental health and addition issues and were vulnerable.  Judge D. Michael Fisher also noted that since the patients were not working, the IRS was unlikely to detect the fraud as there would not be any duplicate claim. The patients would similarly be unlikely to discover they had been defrauded due to their mental health issues. The 5-year jail term stands.

The case serves as a warning to healthcare workers that the theft of patients’ personal information can result in lengthy jail terms. The Department of Justice is aggressively pursuing cases of PHI theft, identity theft, and tax fraud, and is punishing criminals to the full extent of the law.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.