Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft.

Jail terms for HIPAA violations are relatively rare, but there have been several cases where HIPAA violations by employees have been referred to the Department of Justice and have resulted in financial penalties and jail time. Some cases that have resulted in jail terms for HIPAA violations by employees are listed below, along with cases where jail terms have only narrowly been avoided.

Jail Term for Former Transformations Autism Treatment Center Employee

In February 2017, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination.

Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and downloaded the PHI of 300 current and former patients onto his personal computer.

Approximately one month after Luke was terminated, TACT discovered patient information had been remotely accessed and downloaded. An investigation was launched and law enforcement was notified, with the latter alerting the FBI. Luke was identified as the perpetrator from his IP address, with the search of his residence uncovering a computer containing stolen electronic patient records and TACT forms and templates.

Luke’s access rights to Google Drive had been terminated by TACT in accordance with HIPAA Rules; however, after termination, Luke had gained access to a shared Google Drive account and authorized access from his personal Gmail account.

It is unclear exactly how that was achieved after his access rights were terminated. Court documents say Luke hacked the account and law enforcement found evidence Luke had researched how to gain access to the data.

Law enforcement discovered this was not the first time Luke had stolen data from an employer. His computer also contained patient data from another former employer – Somerville, TN-based Behavioral and Counseling Services.

Luke pleaded guilty to the charges and was sentenced to 30 days in jail and 3 years of supervised release. Luke was also ordered to pay $14,941.36 in restitution.

This case sends a message to healthcare employees considering stealing healthcare data to sell, use, or pass on to a new employer, that data theft carries stiff penalties. While Luke will only serve 30 days in jail, he will have a criminal record which will hamper future employment.

Healthcare organizations should also take precautions to minimize the opportunity for ex-employees to access PHI remotely after they have left employment. When an employment contract ends, or an employee is terminated, access to all systems must be blocked and passwords should be changed on any shared accounts.

48 Month Jail Term for Medical Clinic Worker Who Stole Patient Data

Stacey Lavette Hendricks, 49, of Leesburg, FL, was employed by a medical clinic in Florida. She was provided with access to patient information to complete her work duties but used her access to obtain patient information which was sold to identity thieves and used to defraud businesses.

The case was investigated by the U.S. Secret Service. Hendricks was apprehended when she attempted to sell stolen patient data to an undercover law enforcement officer. When her home was searched, law enforcement officers found the records of 113 patients. Hendricks faced a maximum jail term of 20 years for wire fraud and 2 years for aggravated identity theft. She pleaded guilty and was sentenced in 2020 to serve 48 months in federal prison.

3 Year Jail Term for VA Worker Who Stole Patient Data

A clerk at the Veteran Affairs Medical Center in Long Beach, CA has been sentenced for the theft of the protected health information of more than 1,000 patients.

Albert Torres, 51, was pulled over by police over an anomaly with his license plates. The officers found prescriptions in the vehicle in other people’s names, and the Social Security numbers and other PHI of 14 individuals. When police officers searched his home, they found hard drives containing the ePHI of 1,030 veterans and goods that had been stolen from the hospital. Torres was sentenced to 4 years in state penitentiary in 2018.

New York Dental Practice Receptionist to Spend 2-6 Years in Jail for Stealing Patient Data

In 2018, a former receptionist at a New York dental practice was sentenced to serve between 2 and 6 years in state penitentiary for stealing the protected health information of hundreds of patients.

Annie Vuong, 31, was given access rights to patient data to perform her work duties but abused those rights and stole the data of at least 653 patients. The information was passed to her co-defendant, Devin Bazile, via email. Bazile obtained credit lines in the victims’ names and made high value purchases.

Vuong was arrested in February 2015 after a 2-and-a-half-year investigation and was found guilty on 189 counts and was sentenced to serve between 2 and 6 years in jail. Bazille was sentenced to between 3 and 9 years in jail, with up to 4 years in jail for one other co-defendant and 5 years’ probation for the other.

UPMC Patient Care Coordinator Gets 1-Year Sentence for Theft of PHI

A former patient care coordinator at University of Pittsburgh Medical Center (UPMC) was sentenced to 1 year in jail for accessing the medical records of patients without authorization and using the information to cause malicious harm.

Sue Kalina, 62, of Butler, PA, had accessed patient records without authorization for more than a year between 2016 and 2017, including old friends, classmates, and individuals she had a grievance with and conducted a campaign of vengeance. One of the victims was a woman who had been hired by a previous employer to replace her. Kalina accessed that woman’s medical records and disclosed gynaecological information to her former employer in a voicemail. Kalina was fired for the HIPAAA violation but was later hired by Allegheny Health Network and recommenced her campaign.

U.S. prosecutors sought a jail term of between 2 and 6 years. Kalina was sentenced to 1 year in jail, 3 years’ probation, and was prohibited from contacting any of the 111 victims.

Massachusetts Gynaecologist Spared Jail in Criminal HIPAA Violation Case

Gynecologist Rita Luthra, 65, of Longmeadow, MA, has been convicted of criminal violations of the HIPAA Privacy Rule and obstructing a federal investigation into a kickback scheme.

Luthra gave a pharmaceutical sales representative access to patient health information to complete pre-authorization forms for insurance companies that were refusing to approve prescriptions for Warner Chilcott’s osteoporosis drugs.

Luthra was also accused of being paid $23,500 to prescribe Warner Chilcott’s osteoporosis drugs, but maintained the payment was for speaker’s fees at medical educational events and for writing a research paper. The events took place in her office and the research paper was never finished. Luthra lied to federal investigators and also instructed the pharmaceutical sales representative to lie to back up her story.

Luthra faced up to 6 years in jail, one year of supervised release, and $300,000 in fines, including a $50,000 for the HIPAA violation. The judge was lenient due to Luthra’s work with disadvantaged women in impoverished areas of Springfield. Luthra escaped a fine and was sentenced to 1 year of probation and has permanently lost her license to practice.

Former Berkeley Medical Center Employee Sentenced

A former Berkeley Medical Center Employee has escaped a jail term after pleading guilty to one count of identity theft. Angela Dawn Roberts, also known as Angela Dawn Lee, 42, of Stephenson, Virginia, admitted unlawfully acquiring the protected health information of 10 individuals, including their names, dates of birth and Social Security numbers, and providing that information to her co-defendant, Ajarhi Savimbi Roberts. Her partner in crime was sentenced to 24 months in jail after pleading guilty to bank fraud. Roberts was fortunate to escape a jail term, and instead was sentenced to 5 years of probation and was ordered to pay $22,000 in restitution.

Nursing Home Employee Pleads Guilty to Theft of Credit Card Numbers

A former employee at a nursing home in St. Louis County, MO has pleaded guilty to the theft of credit card numbers. Shaniece Borney, 29, of St. Louis County, was employed at a NHC Health Care nursing home between 2016 and 2017. Borney abused her access to the computer system and stole the credit card details of patients. The credit card details were used to make purchases for herself and family members. Borney faces up to 10 years in jail and could be fined up to $250,000 and will be required to pay restitution to the victims of the fraud.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.