HIPAA Breach for Handbags: Manhattan DA Indicts 8 in ID Theft Ring
Yesterday, the Manhattan District Attorney’s Office issued a press release announcing the indictment of 8 individuals involved in an ID Theft Ring. A former Montefiore Medical Center employee was named as the provider of the Protected Health Information (PHI) which enabled the thieves to obtain gift cards and store cards and run up tens of thousands of dollars of debt.
Monique Walker, 32, was employed as an assistant clerk at Montefiore Medical Center, and was provided with access to patient records in order to complete her work duties. However, Walker allegedly started printing off pages of HIPAA-protected patient records to sell to a third party, Fernando Salazar, 28.
The records contained patient names, addresses, dates of birth, health insurance information, next of kin contacts and Social Security numbers. The information was used by thieves to forge identities to obtain goods and gift cards from high-end stores. The offenses are alleged to have taken place between 2012 and 2013.
Walker was paid $3 for each printed copy of the records, and during her time at the hospital she printed thousands of pages. In total, 12,517 patient records were believed to have been accessed, printed and sold. Walker used the proceeds from her part of the crime to purchase expensive designer handbags and clothing from some of New York’s finest department stores.
Credit and store cards were obtained from Macys, Barneys, Victoria’s Secret, Lord & Taylor, Bergdorf Goodman and Zales, among others. Salazar bought the records, and six other individuals were involved in the fraudulent use of store cards. More than $50,000 of goods were obtained by the thieves before they were caught.
Manhattan District Attorney Announces Indictment
In the press release, Manhattan District Attorney, Cyrus R. Vance, Jr., thanked Montefiore Medical Center for its assistance in the investigation and for helping to uncover a serious crime ring. He said, “Here in Manhattan, my Office’s Cybercrime and Identity Theft Bureau has a successful track record of prosecuting insiders at gas stations, parking garages, restaurants, department stores, and popular chains.”
The 8 individuals have been charged with Grand Larceny in the Second and Third Degrees, Identity Theft in the First Degree, and Criminal Possession of a Forged Instrument in the Second Degree. Walker’s part in the ID theft ring resulting in charges of Grand Larceny in the Second Degree and Unlawful Possession of Personal Identification Information in the Second Degree (Class E), while Salazar received a third charge of Unlawful Possession of Personal Identification Information in the First Degree (Class D).
Announcing the indictment and charges, Vance said “In case after case, we’ve seen how theft by a single company insider, who is often working with identity thieves on the outside, can rapidly victimize a business and thousands of its customers,” he went on to say, “Motivated by greed, profit and a complete disregard for their victims, identity thieves often feed stolen information to larger criminal operations, which then go on to defraud additional businesses and victims.”
Montefiore Medical Center Initiates Data Breach Response
As a healthcare provider, Montefiore Medical Center is covered by the Health Insurance Portability and Accountability Act (HIPAA) and there are a number of rules governing procedures that must be followed after the exposure or disclosure of PHI.
The Breach Notification Rule requires covered entities to report data breaches to the Department of Health and Human Services’ Office for Civil Rights and breach notification letters must be sent to all individuals affected by the data breach. If the risk of identity theft or fraudulent use of stolen data is high – or has occurred – the covered entity must take action to mitigate any financial losses suffered.
Breach letter have now been issued to all affected individuals and they have been offered a year of complimentary credit monitoring services and can also benefit from an identity recovery service. Cover against fraud is provided under a $1 million insurance policy.
A senior vice president at Montefiore, Susan Green-Lorenzen, announced that the healthcare provider takes a number of precautions to protect the privacy of patients, including vetting staff prior to appointment. She said, “At Montefiore all employees are thoroughly screened for criminal backgrounds, provided [with] extensive training to protect patient privacy, and must adhere to a strict code of conduct,” she also said “The employee who was arrested in connection to this violation egregiously and criminally chose to violate established hospital policies, the trust of our patients and the law.”
The District Attorney’s Office will be receiving the full cooperation from Montefiore MC staff to ensure those responsible are brought to justice.