Defendant in Stolen EHR Data Case SentencedProsecutors Describe Complex Fraud Scheme to Profit From Sale of Patient Data
The sentencing of one of three defendants in a Texas fraud conspiracy involving data stolen from electronic health records points to the need for better access management for systems containing patient information.
The Department of Justice says Demetrius Cervantes of McKinney, Texas, was sentenced Thursday to 48 months in federal prison after pleading guilty on Dec. 4, 2020, to conspiracy to obtain information from a protected computer.
According to court documents, Cervantes, as well as co-defendants Amanda Lowry and Lydia Henslee, also of Texas, were indicted in September 2019 for conspiracy to obtain information from a protected computer and conspiracy to unlawfully possess and use a means of identification.
Lowry previously pleaded guilty to conspiracy to obtain information from a protected computer and is set to be sentenced on July 22.
Henslee in November 2020 was additionally charged in a 10-count superseding indictment with one count of conspiracy to unlawfully transfer, possess and use a means of identification and nine counts of unlawfully transferring, possessing and using a means of identification.
Henslee in March pleaded guilty to conspiring to possess and use a means of identification in connection with various offenses. A sentencing date has not been set, but she faces up to 15 years in federal prison, prosecutors say.
The Department of Justice tells Information Security Media Group that the defendants in the case "accessed a healthcare providers’ EHR without authorization and obtained PHI and PII. The defendants worked in the healthcare sector for another healthcare provider. They did not have authorization to access the computers that contained the patient information. The EHR system was accessed by the defendants, external individuals who did not have work-related access or authorization to access the system."
Court documents do not provide details of how the defendants allegedly obtained the stolen patient information or how many patients' records were involved in the scheme, which involved the selling of the data to support fraudulent claims for payment.
The Fraud Scheme
Prosecutors allege that the defendants breached an unnamed healthcare provider’s EHR system to steal patients' PHI and PII.
"This stolen information was then 'repackaged' in the form of false and fraudulent physician orders and subsequently sold to durable medical equipment providers and contractors," the DOJ says.
Prosecutors allege the defendants obtained more than $1.4 million from the sale of the stolen information and used the money to purchase vehicles and jet skis.
In the separate superseding indictment, Henslee was also charged, along with Steven Churchill, Samson Solomon and David Warren - all of Florida - and Daniel Stadtman of Texas, with one count of conspiracy to commit illegal remunerations.
Those defendants are alleged to have conspired to pay and receive kickbacks in exchange for orders from physicians that were subsequently used to obtain payments from federal health care programs.
Prosecutors says the conspirators obtained patient information and used it to create fictitious physician orders. The conspirators then sold the physicians’ orders to each other and to other DME providers, prosecutors allege. "Within approximately eight months, the defendants collectively obtained more than $2.9 million in proceeds from the criminal scheme," prosecutors allege.
If convicted, the defendants each face up to five years in federal prison.
The sentencing of Cervantes in the conspiracy case "sends the message that the theft of protected health information, the fabrication of physicians’ orders, and the sale of prescriptions will not be tolerated in the Eastern District of Texas,” said Nicholas Ganjei, acting U.S. attorney.
Healthcare cybersecurity attorney Rachel Rose, who is not involved in the Texas cases, says the sentencing of Cervantes "is an important step of making individuals and organizations aware of the significant consequences of violating a multitude of laws, including HIPAA, the Federal Anti-Kickback Statute, and the HITECH Act."
"In light of the DOJ's statements … that cybersecurity and EHR fraud is a priority, the increased focus on non-compliance and conduct should not be overlooked," she notes.
PHI and PII are valuable to fraudsters for a host of reasons, says former federal prosecutor Andrew Wirmani.
"The information can be used to fraudulently bill government payers such as Medicare and Medicaid. Because healthcare claims are paid electronically, and payers depend on the good faith of providers to submit true and accurate claims, this type of fraud can be difficult to detect," he notes.
PHI and PII also have tremendous value on the black market, he adds.
"Stolen PHI, in particular, has a much longer shelf life than, say, stolen credit card information, which most companies or customers detect within a short amount of time. It can sometimes take years for an individual to know that their health information has been compromised."
Improving Access Management
Attorney Michael Borgia, a partner at the law firm Davis Wright Tremaine, says healthcare entities must take action to better safeguard their patient data from being stolen by malicious insiders as well as external hackers intending to commit fraud crimes.
"Among other things, monitoring and auditing access to systems with sensitive data like EHRs is essential," he says.
"Restricting access to such systems is key, but it isn’t enough to address insider threats, such as when someone who has authorization to access the data wants to steal and monetize it. Organizations also need to regularly audit access and scrutinize behavior that appears nonstandard or unusual."