Criminal Charges Filed Against Alabama Woman for HIPAA Violations

A woman from Alabaster has been charged with stealing surgery schedules of patients containing names, dates of birth and social security numbers from the Trinity Medical Center in Birmingham, Ala.

Chelsea Catherine Stewart did not work at the hospital, but visited a patient who was receiving treatment on numerous occasions between March 22 and April 8, 2011. During her visits Stewart also entered a patient registration area where she stole the records. In total she obtained over 4,500 patient records during her visits.

The woman had some form. She was involved in an investigation into credit card fraud, and law enforcement officers had already obtained footage of her using stolen credit card to pay for goods. She is alleged to have taken the schedules for the information they contained with the intention of committing identity fraud.

When law enforcement officers went to Stewart’s house on April 8, 2011, they discovered the surgery schedules along with notes written by Stewart which they referred to as an identity fraud “to do list.”

All patients who are understood to have been affected by the data breach have now been contacted and have been offered credit protection services for a period of a year without any charge to mitigate any damage caused by the incident.

It is not known whether Stewart had time to use any of the information, but the hospital has confirmed that it did manage to recover all of the schedules and the threat is believed to now be over. However, questions may be asked about how a member of the public was able to walk into the hospital on several occasions and obtain PHI.

It is the responsibility of covered entities to ensure that PHI is protected at all times, and the incident suggests that this was not the case and the hospital violated the HIPAA Security Rule for failing to implement the physical controls to prevent the accidental disclosure of PHI.

If Stewart is convicted of the crime, she can be sentenced to up to 10 years in prison, in addition to covering a fine of up to $250,000. If Trinity Medical Center is investigated by the Office for Civil Rights and HIPAA violations are discovered, it too could be penalized. Fines of up to $1.5 million can be issued if serious violations of HIPAA Rues are discovered.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.