Inside Job at Clinics: Mobile Phone Used for FraudWorker Sentenced in Case Involving Theft of Patient Data
A former administrative employee of a medical marijuana clinic and several other clinics was recently sentenced to serve time in federal prison after pleading guilty to identity theft and wire fraud.
The case illustrates the potential risks posed by employees inappropriately using personal devices - a risk that could potentially be heightened with more staffers working at home during the COVID-19 crisis.
Stacey Lavette Hendricks of Leesburg, Florida, was sentenced to serve concurrently two 24-month sentences after pleading guilty in January to one count of aggregated identity theft and one count of wire fraud, the Department of Justice says in a statement.
In addition, Hendricks was also ordered to pay more than $22,000 in restitution to Carvana for cars she fraudulently purchased.
Prosecutors alleged that she used her personal cell phone's camera to take photos of dozens of patients' information that she then used to make fraudulent purchases and also sold to others for $100 per image.
Court documents alleged that while employed in administrative roles at various medical clinics - including a Florida-based medical marijuana clinic - Hendricks used her access to medical records to steal the name, date of birth, address, and Social Security number of patients, focusing on individuals with good credit scores.
As part of the scheme, prosecutors allege Hendricks used stolen data to fraudulently open a line of credit for herself. "Hendricks would either sell this information to third parties for cash, or would use it herself to defraud businesses out of goods or services," court documents allege.
Hendricks was nabbed in July 2019 after a confidential source reported the activity to law enforcement, and an undercover officer twice purchased from Hendricks several screenshots of patient PII.
"During the investigation, agents recovered a total of 113 distinct sets of stolen patient PII from Hendricks possession; this number also includes the 15 sets of PII that Hendricks sold to the undercover officer as well as the information recovered from the search of her home," court papers allege.
The case spotlights the threats that can be posed by insiders - especially as many more employees work from home during the COVID-19 pandemic.
"The inappropriate use of smartphones to disclose PHI in the healthcare workplace can pose a significant threat to patient privacy," says privacy attorney David Holtzman of security consultancy CynergisTek.
Privacy attorney Iliana Peters of the law firm Polsinell notes: "The risk of 'BYOD' in enterprises has always existed, but may not be sufficiently addressed by enterprises. ... For example, some entities, including in the federal government, take the approach that unless a particular employee needs his or her personal device for work purposes, the employee cannot use such devices except on their personal breaks."
But if employees need to use devices for work purposes, entities should have robust policies and procedures addressing how and when such devices should be used, she adds.
Some healthcare organizations rely on their staff members to use mobile devices to access information systems to support patient treatment services, Holtzman notes.
"A flexible approach that ingrains into an organization's culture of privacy, training workforce members on when use of personally owned mobile devices is appropriate, along with banning smartphones from specific locations in a facility or worksite ... may reduce the risk of unauthorized disclosure of PHI."
Peters highlights challenges posed by the growing remote workforce during the pandemic.
"Admittedly, enforcement of ... policies and procedures is more difficult when individuals are working from home, but ... during times of increased risk, entities should arguably increase the auditing of employee activity, particularly with regard to sensitive information like PII and PHI, including for role-based access violation issues," Peters notes
Restricting the use personal cell phones at home to take photos of PII is challenging, she says. But healthcare organizations should monitor access to patient data for signs patient information is being accessed without authorization, she adds.
"In my experience, the biggest tip-off to inappropriate employee activity is inappropriate access to PII or PHI, which is revealed by audit log/access log review," she says.
Holtzman offers a similar assessment.
"Monitoring the data workforce members are accessing has been proven to be an effective approach to enhance the confidentiality of PHI," he says.
"State-of-the-art monitoring technologies employ behavioral modeling to enable a machine-learning driven approach, which combines public information with algorithms to understand every single user's individual patterns of information system usage behavior. This always-improving context allows organizations handling PHI or other sensitive information to find malicious user access patterns that might otherwise remain hidden. It also finds perfectly reasonable explanations to usage patterns that might have otherwise taken hours of investigation."
In addition to personal mobile phones, at-home printers can create risks, some experts add.
"Data loss prevention tools are one way healthcare organizations can control where PHI will end up," Holtzman notes.
"The overwhelming majority of breaches in which a malicious insider steals PHI involve an endpoint device, like a printer or USB storage media," he says.
DLP employed on an information system provides the ability to manage the movement of data to the endpoint device, restricting saving, copying or transmitting the data, he notes.
"Organizations can set controls to allow laptops to access PHI, but not save it to the device's internal hard drive, USB media or send it to a printer," he says. "DLP enhances awareness of what is going on with sensitive information, enables better control of those actions and helps to protect against unauthorized disclosures and loss of data."