Share this article on:
Electronic devices are easy to steal and thieves sell on the hardware, although the value of the equipment pales into insignificance compared to the money that can be obtained from the patient data stored on the devices. PHI can be used to obtain products and medications which can be sold on the black market, although the data can also be used to submit false tax returns, obtain tax refunds and make bogus insurance claims.
The theft of Protected Health Information from two Detroit hospitals earlier this year has highlighted how easy it is for thieves to steal PHI if adequate security measures are not implemented and how that data can be used to commit fraud and medical identity theft.
The data breach involved two hospital employees; Markitta Washington who worked at Henry Ford West Bloomfield Hospital and Martez Lear from DMC Harper Hospital. The pair is alleged to have stolen the data of 1,400 patents from the hospital computer network in order to make bogus claims for tax refunds.
Following the discovery of the theft at Detroit Medical Center the hospital conducted an investigation and revoked access rights to the data and patients were notified of the theft in accordance with HIPAA guidelines. Both hospitals have also implemented stricter security procedures to prevent future data breaches.
The thieves are alleged to have appropriated the data for the purpose of committing medical identity theft and used Social Security numbers, names, dates of birth to apply for false tax refunds totaling close to half a million dollars.
When police raided the suspects’ home they discovered a treasure trove of PHI and patient data including medical notes and personal identifying information as well as Social Security numbers. Re-encoded credit cards and gift cards were also recovered from the suspects’ home in Farmington Hills along with the data of approximately 1,000 patients. According to the unsealed indictment, the pair is alleged to have used the data from 305 patients to make claims totaling $489,000 with the refunds sent using prepaid debit cards.
The theft of PHI and medical data can be highly lucrative and can cause victims to suffer considerable damage and loss. Law enforcement agencies may not be able to prevent the theft of data, although they are taking considerable measures to tackle the issue and bring the perpetrators to justice. Just as technology can make the theft of PHI easier for criminals, law enforcement officers can use technology to track thieves and bring them to justice.
However, regardless of whether the people responsible for a data breach are caught, healthcare organizations may be found to be liable for damages, even when data is stolen by employees who had been given legitimate access to PHI.
An Indiana court recently ruled against Walgreen’s following a data breach in which a former pharmacist stole PHI relating to one patient and provided it to a third party. The pharmacist in question admitted that she acted on her own and stole the data while being fully aware that she was breaching the hospital’s privacy and security policies. The court ruled that in spite of this the hospital was still liable for the theft.