Penalty for Theft of Healthcare Data Can be Severe

The penalty for theft of healthcare data can be severe, yet many individuals choose to risk imprisonment by accessing and disclosing the protected health information of patients without authorization.

Medical data and personal identifiers can be sold on the black market for considerably more than credit card numbers, and this makes hospitals and clinics targets for cybercriminals and thieves. This information can be used to obtain prescription medicines and medical services, commit identity fraud and make fraudulent insurance claims for many tens of thousands of dollars for each individual whose data is obtained.

While hackers often make headline news due to the huge volumes of data they are able to appropriate, one of the biggest threats to data security comes from employees, many of whom have legitimate access to healthcare data.

Each year there are numerous cases of employee snooping with members of staff viewing the health data of patients out of personal curiosity and to obtain information about friends, family members and ex-partners. Some of these employees steal data with the intention of selling it on for personal gain.

Penalty for Theft of Healthcare Data is Up to 10 Years in Jail

The penalty for theft of healthcare data is stiff. Employees found to have accessed data which they have not been authorized to view will result in immediate termination of employment, while criminal charges can be filed against the individual concerned. The maximum penalty for the theft of data – with the intention of selling that data – is a jail term of 10 years and a maximum fine of $500,000.

The U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) investigates cases of improper access and wrongful disclosure of healthcare data. The most recent case has seen East Texas resident, Joshua Hippler, 30 given an 18 months imprisonment for theft of HIPAA data. The sentence was considerably lower than the maximum possible term; however other individuals may not be so lucky. If the data is used for pay for goods and services, the maximum penalty for theft of healthcare data is 20 years in jail.

Hippler was employed by a hospital in the Eastern District of Texas and between December 1, 2012 and January 14, 2013 and was alleged to have stolen information on a number of patients with the intent if selling the data for personal gain.

He was indicted by a federal grand jury on Mar. 26, 2014 for multiple HIPAA violations and on August 28, 2014 he pleaded guilty to the offenses.  U.S. District Judge Leonard Davis has now sentenced Hippler to 18 months in prison.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of