Medical Workers Plead Guilty to PHI Access-Related CrimesOne Case Involves Healthcare Fraud, the Other HIPAA Crimes
Two former healthcare workers - a medical biller in Florida and an emergency medical technician in New York - have pleaded guilty in two separate federal cases involving the criminal misuse of patient information accessed while performing their jobs. One case involved healthcare fraud and identity theft, and the other criminal HIPAA violations.
See Also: Case Study: The Road to Zero Trust
Experts say both cases serve as the latest reminders of insider threats facing healthcare entities and their patients' information.
In the first case, the U.S. Department of Justice on Friday said Joshua Maywalt, a former medical biller at a Clearwater, Florida-based company that provided credentialing and medical billing services to healthcare entity clients, pleaded guilty to four counts of healthcare fraud and four counts of aggravated identity theft (see: Alleged Fraud at Billing Firm Spotlights Insider Risks).
The second case involves medical emergency technician Luis Soriano, who prosecutors say pleaded guilty to one count of criminal HIPAA violations committed in connection with his work at three New York-area hospitals between approximately June 2012 and August 2019.
Maywalt Case Details
Prosecutors say Maywalt abused his job role by wrongfully accessing and using the company’s patient information, as well as a Tampa Bay-area physician's name and identification number, to submit fraudulent claims to a Florida Medicaid health maintenance organization for medical services not actually provided by the physician.
Maywalt then altered the "pay to" information associated with those claims so that the payments for the fictitious medical services were sent to bank accounts under his control, prosecutors say.
In addition to the healthcare fraud and identity theft counts, Maywalt also pleaded guilty to federal tax crimes, including one count of filing a false federal income tax return and two counts of failing to file federal income tax returns in connection with the case.
Maywalt faces a maximum penalty of 10 years in federal prison for each healthcare fraud count, a two-year mandatory consecutive sentence on the aggravated identity theft counts, a maximum penalty of three years for filing a false income tax return, and a penalty of up to two years for each failure to file an income tax return.
Prosecutors say Maywalt also intends to forfeit $2.2 million in funds and a Tampa real estate property that are traceable to proceeds of his offenses.
An attorney representing Maywalt did not immediately respond to Information Security Media Group's request for comment on the case.
Soriano Case Details
In the New York case involving criminal HIPAA violations, prosecutors say Soriano, who is a licensed emergency medical technician, in the course of his work at three New York hospitals, acquired individually identifiable health information pertaining to certain patients, including names, telephone numbers, medical conditions and the approximate dates of, and reasons for, the patients' hospitalizations.
One of those affected hospitals, Northwell Health's Huntington Hospital, on Nov. 24 issued a breach notification statement related to the case. The hospital said that it was notifying 13,000 individuals of improper access to patient information by "an overnight shift employee without role-based authorization" between October 2018 and February 2019.
In its statement, Northwell said the worker was immediately suspended, and he was subsequently terminated when the hospital investigated in February 2019.
Huntington Hospital says it notified law enforcement authorities and cooperated with that investigation, which included following instructions to delay until November 2021 notifying any patients who were potentially affected.
"The law enforcement investigation resulted in the former employee being charged with a criminal HIPAA violation," Northwell says in the statement.
As of Monday, the Huntington Hospital incident was not yet posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Sale of PHI
Court documents say that as part of a scheme, Soriano disclosed health information of "numerous patients at each of the hospitals without authorization and for reasons other than permitted by HIPAA and its regulations."
Prosecutors say Soriano disclosed the information to others, including one unnamed individual, in exchange for payments totaling between approximately $100,000 and $150,000.
Soriano is free on $50,000 bond and slated to be sentenced on April 5 in a Brooklyn federal court. He potentially faces 10 years of prison time.
A Northwell Health spokeswoman tells ISMG: "Huntington Hospital regrets the unauthorized actions of a since terminated former employee, and it continues to take steps to prevent an incident like this from recurring."
Only one of the three hospitals at which Soriano worked is part of the Northwell Health organizations, she says. Court documents do not identify the other two hospitals.
A Department of Justice spokesman declined ISMG's request for additional details, including whether others are being prosecuted in connection with the Soriano case.
An attorney representing Soriano did not immediately respond to ISMG's request for comment.
Some legal experts say the two cases are a reminder of the various insider threats facing healthcare entities and their patient's information.
But these two cases involving the intentional unauthorized access, disclosure and use of patient information by insiders - similar to cyberattacks - are rooted to criminal motivations.
"Money appears to be the primary driver. As we know, there are increases in ransomware attacks, and the black market value of protected health information greatly exceeds that of credit card information," says regulatory attorney Rachel Rose of law firm Rachel V. Rose - Attorney at Law, PLLC.
Training of healthcare staff, including providing examples of criminal cases and penalties, "is a fundamental step in deterring fraud in relation to the illicit taking of PHI for personal gain," she says. "This is important … especially in light of the increase in remote working by both employees and contractors."
Also critical is having adequately vetted workforce members, which is a provision in the HIPAA Security Rule, she says.
"With the distractions surrounding COVID-19, criminals of all levels and in all positions will exploit this lapse in oversight by deploying various forms of social engineering."
Continuing to train workforce staff and encouraging others to report bad actors is also critical to thwarting this type of conduct, she says.
"One area that should be on every entity's radar is a workforce member taking pictures [of PHI] on his/her phone," Rose says.
"This is not usually detected by software; however, a release [document] can be created that would give a company access to a phone. If a 'burner phone' or a regular camera is used, then it may still be difficult to detect."