HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Arkansas Medical Assistant Pleads Guilty to Defrauding Patients

A medical assistant from Little Rock, AR. has plead guilty to one count of Aggravated Identity Theft after she illegally accessed the medical records of 13 patients, stole their Social Security numbers, and used their Protected Health Information (PHI) to secure credit.

United States District Court Judge, Susan Webber Wright, heard Mesha White, 34, plead guilty to Aggravated Identity Theft on June 3, 2015. The case has will now be scheduled for official sentencing, although the guilty plea means White will serve a mandatory two years in prison, with three years of supervised release. She must also pay back the thousands of dollars she has illegally obtained and spent in the names of 13 different patients.

White potentially faced a very lengthy jail term. She accessed and stole HIPAA-covered data without authorization; that data was taken for personal gain and White then proceeded to defraud thirteen different individuals. In April, a federal grand jury indicted White on seven counts of aggravated identity theft and seven counts of misusing a Social Security number. The guilty plea resulted in the dismissal of all but one charge of aggravated identity theft.

Dermatology Clinic Assistant Abused Data Access Rights

White used her position as a dermatology clinic assistant to gain access to protected records between November and December, 2012. After accessing and stealing data she applied for credit and started to accumulate debts. Suspicions were aroused and law enforcement officers started to investigate potential fraudulent credit activity.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Law enforcement officers managed to trace purchases to a single computer – via its unique IP address. That computer was traced to a local dermatology clinic. Officers contacted the company and White was identified as the main suspect, due to all of the transactions having taken place while she was on duty.

White went to lengths to hide her criminal activity. The goods that she purchased were not sent to her home address; but to a vacant property that she used to reside in. She would send the goods to be delivered and drive by to collect the boxes. A local resident gave a statement to law enforcement officers confirming that White used to visit the premises to collect boxes. The investigation identified the vehicle she used as a Blue BMW, which was discovered to be registered to white’s mother.

Employee Data Theft Continues to Plague Healthcare Providers

This incident is one in a number of recent cases of employee HIPAA breaches. In order to reduce the risk of employee data theft, all HIPAA-covered entities should provide additional training on HIPAA privacy and security rules. Specific mention should be made of the consequences of inappropriate access, disclosure or theft of PHI. It is essential that all members of staff understand that there will be consequences for inappropriate data access/use that extend beyond loss of an employment contract.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.