Radiologist Arrested in Breach CaseProsecutors Claim He Inappropriately Accessed 97,000 Records
A radiologist faces three misdemeanor charges for allegedly stealing the protected health information of nearly 97,000 current and former patients of NRAD Medical Associates, the Long Island, N.Y., medical practice where he worked.
Meanwhile, Nassau County District Attorney Kathleen Rice is advocating a change in state law to permit tougher charges in such cases. And a privacy attorney says federal charges for HIPAA violations might be appropriate in the case.
A spokesman for Rice tells Information Security Media Group that Richard Kessler, M.D., was arrested on Dec. 3 and charged with three misdemeanors under state statutes: unauthorized use of a computer; unlawful duplication of computer-related material and petty larceny.
Kessler told authorities that he accessed and copied the NRAD information because he was planning to start a competing medical practice, according to the DA spokesman.
The radiologist is scheduled to be arraigned in district court on Jan. 6. Kessler faces a maximum of one year of jail time if convicted of the steepest charge.
Kessler's arrest follows a law enforcement investigation related to a breach that NRAD reported in July. At that time, the medical practice disclosed in a statement that a radiologist on staff accessed and acquired without authorization about 97,000 records that included patient names and addresses, dates of birth, Social Security numbers, health insurance information and diagnosis and procedure codes.
How Data Was Taken
A statement issued by Rice says that between about Jan. 17 and April 24, Kessler allegedly connected an external hard drive to his workplace computer and copied onto it patient information from the NRAD network. A search warrant uncovered Kessler's hard drive containing the NRAD patient records, as well other information, including NRAD corporate credit card information, corporate marketing materials, and IT information, Rice says.
"Though there is no indication that Kessler used any of the information stolen to open accounts, make purchases, or obtain property in the names of NRAD patients, the victims of this identity theft were given the opportunity by NRAD to protect their credit" through credit monitoring, the statement noted.
Cinzia Lawrence, CEO of NRAD, tells ISMG that the medical practice is continuing to work with law enforcement authorities in the investigation, and declined to comment on whether NRAD will file a civil suit against Kessler. "Protecting the privacy of our patients' personal information is vitally important," she says. She also declined further comment about the steps NRAD is taking to bolster data security in the wake of the incident. The radiologist no longer works for NRAD.
The current New York state statute for "unlawful possession of personal identification in the third degree" doesn't allow for additional criminal charges against Kessler, the DA spokesman says.
"Current New York State personal identification information statutes - Penal Law Â§ 190.81-83 - do not cover the information found to be in Kessler's possession," according to the Rice's statement.
As a result, Rice is calling for changes in the statute to allow tougher charges in cases such as Kessler's. "Physicians are regularly entrusted with the health and well-being of their patients, so the abuse of trust in this case is particularly outrageous," she says. "New York State's privacy and larceny statutes should be reformed so they can apply to more kinds of personally identifying information."
David Holtzman, a vice president at security consulting firm CynergisTek and a licensed attorney in New York, notes: "New York's criminal statutes do not make it a crime to steal or maliciously disclose health records. Legislation ... to close this loophole had been passed the New York State Senate [last year] but died without action in the state assembly."
Privacy attorney Adam Greene of law firm Davis Wright Tremaine notes, however, that federal prosecutors could consider filing HIPAA violation charges against Kessler.
"In addition to the charges that have been brought, the U.S. Department of Justice could bring criminal charges for knowingly obtaining PHI in violation of HIPAA," he says. "They would need to demonstrate that the doctor obtained the PHI without authorization. If they could demonstrate that the radiologist's actions were for commercial advantage or personal gain, then the penalty is up to $250,000 and up to 10 years imprisonment."
Other healthcare entities can take steps to avoid similar breaches involving employees, Holtzman says.
"Healthcare organizations should have security controls in place that prevent unauthorized devices, like thumb drives, hard drives and smart phones, from connecting to the information system that handles patient information by limiting access through the USB ports that are commonly found on a desktop workstation," he says. "Organizations [should] regularly scan their information networks to identify which devices are accessing or connected to the information system to identify any unauthorized devices or hardware that is getting access to the system."