37 Months’ Imprisonment for Criminal HIPAA Violations

A former customer service representative at Tampa General Hospital has been sentenced to 37 months’ imprisonment for criminal HIPAA violations and tax fraud.

Shanakia Benton abused her data access rights while employed at the hospital and accessed and stole patient data with intent to commit fraud.

Benton was provided with access to the data in order to perform work duties. According to the court documents, Benton had previously received training on Health Insurance Portability and Accountability Act Rules. Benton was therefore aware that she was not permitted to access patient data unless there was a valid work reason for doing so.

However, over a period of 19 months between June 2011 and December 2012, Benton accessed the records of more than 600 patients of Tampa General Hospital without authorization. Benton copied the personal information of patients, and along with her accomplices, filed fraudulent tax returns in the names of 29 patients. In total, false tax returns of $226,000 were sought. In addition to the jail term, Benton is required to pay back $77,239 – her share of the proceeds from the wire fraud.

The case was jointly investigated by the Federal Bureau of Investigation, the Department of Health and Human Services’ Office of Inspector General, the Inland Revenue Service, and the Tampa Police Department. The U.S. Department of Justice announced the sentence on August 3.

Imprisonment for criminal HIPAA violations is always a possibility, although over the past few years relatively few criminals have been prosecuted for HIPAA violations. Individuals discovered to have used stolen data to file fraudulent tax returns have been tried for violations of other laws. However, criminal HIPAA cases are now becoming more common.

Any healthcare worker who improperly accesses and discloses protected health information could face criminal HIPAA charges, and the penalties can be severe. 10 years’ imprisonment for criminal HIPAA violations is possible, while a further two years can be tacked on to the sentence for aggravated Identity theft.

This case should serve as a warning to would-be data thieves. The Department of Justice is aggressively pursuing individuals who steal healthcare data for financial gain and individuals will be punished to the full extent of the law.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news