Three individuals allegedly gained unauthorized access to a healthcare provider’s electronic health record (EHR) platform with the intent to steal and sell protected health information (PHI). Two separate schemes, both involving Lydia Henslee, earned the alleged criminals millions of dollars. More details regarding the breach and potential HIPAA criminal penalties are discussed.
What Allegations Are They Facing?
Earlier this month, Demetrius Cervantes and Amanda Lowry, two of the individuals involved in the first criminal scheme, pled guilty to conspiracy to obtain information from a protected computer. The third defendant, Lydia Henslee, is facing additional charges.
So what supposedly happened?
The information presented to the court alleged that the three defendants gained unauthorized access to a healthcare provider’s EHR to steal patient protected health information. They then took the stolen PHI and created false physician orders to sell to durable medical equipment (DME) contractors and providers. Over the course of their operation, these individuals earned $1.4 million from their criminal enterprise.
Demetrius Cervantes and Amanda Lowry were charged with conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification.
Lydia Henslee, who faces 15 years in federal prison, is also being charged with nine counts of unlawfully transferring, possessing, and using a means of identification and an additional count of conspiracy to unlawfully transfer, possess, and use a means of identification.
Henslee is also implicated in another indictment for conspiracy to commit illegal remunerations. In this case, defendants allegedly violated the Anti-Kickback Statute by paying and receiving kickbacks in exchange for DME orders for federal healthcare programs. In this scheme, defendants are said to have made $2.9 million over an eight month period.
How Are HIPAA Criminal Penalties Determined?
HIPAA criminal penalties are imposed when someone knowingly violates HIPAA. Depending on the nature of the incident, repercussions vary.
HIPAA criminal penalties are categorized into three tiers:
◈ Negligence: up to 1 year jail time
◈ Falsely obtaining protected health information: up to 5 years jail time
◈ Malicious intent or personal gain: up to 10 years jail time
Additionally, employees of a healthcare organization that intentionally break HIPAA rules can face fines from $50,000 – $250,000 to the HHS OCR, as well as the potential to have to pay restitution to victims. If an employee commits aggravated identity theft, they are subject to a mandatory two-year imprisonment.