Former Tampa Hospital Employee Convicted of PHI Theft and Tax Fraud
A former employee of Tampa General Hospital was recently convicted of wrongful disclosure of individually identifiable health information and wire fraud.
Shanakia Benton was accused of stealing the protected health information of patients during the time she was employed at Tampa General Hospital. According to court documents, between June 2011 and December 2012, Benton improperly accessed the computer system of Tampa General Hospital and printed out and removed the individually identifiable information of 644 patients. The stolen data included names, Social Security numbers, dates of birth, addresses, and medical diagnoses.
In addition to using the information to file fraudulent tax returns in the names of the victims, Benton planned to sell the stolen data to other individuals. In total, Benton filed 29 fraudulent tax returns totaling $226,000.
Benton had previously signed a document stating she was aware of the rules regarding the accessing of patient information and was aware that she was required to protect the privacy of patients. Benton’s actions were discovered and she was arrested. In May 2016 she pleaded guilty to the offenses.
Last week, U.S. District Judge Susan C. Bucklew, a senior judge of the United States District Court for the Middle District of Florida, sentenced Benton to serve three years in jail for the offenses. Benton is also required to pay back the $77,239 in fraudulent tax refunds she received from the IRS.
OCR Warns of Data Theft by Insiders
The risk of insider theft of protected health information was recently highlighted by the Department of Health and Human Services’ Office for Civil Rights. Covered entities were warned that insider data theft is one of the commonest causes of healthcare data breaches. The incidents may not involve as many healthcare records as cyberattacks by hackers, although data is often stolen in order to commit identity theft and fraud.
It is not possible to prevent healthcare employees from accessing patient data, although policies and procedures should be implemented to ensure improper ePHI access is rapidly identified. Access logs should be recorded for all ePHI access attempts and those logs should be regularly reviewed.