Therapist Pleads Guilty in Fraud CaseMiami Hospital Worker Gave Patient Data to Theft Ring
A Miami respiratory therapist has pleaded guilty to identity theft and fraud charges related to a breach involving more than 800 patient records.
See Also: 2021: A Cybersecurity Odyssey
Betty Cole, who worked at South Miami Hospital, pleaded guilty in district court for the Southern District of Florida on July 15 for her participation in a stolen identity and fraudulent tax refund scheme, according to a U.S. Department of Justice statement.
Cole had access to patient names, dates of birth, and Social Security numbers as part of her duties at the hospital. She hand-wrote information lifted from patients records, authorities say.
Unfortunately, these kinds of criminal cases involving insiders with access to patient information are all too common in healthcare, says security expert Mac McMillan, CEO of the consulting firm CynergisTek.
"This is one of the hardest areas to police in information security - the knowledgeable insider who understands how to work around the system and its controls," he says. "In this case, the individual understood that to print the information or e-mail it would potentially be caught by security through log monitoring."
Cole, who pled guilty on two counts, faces a maximum prison term of seven years. She is scheduled for sentencing on Sept. 23.
The Justice Department says that last summer, another individual, Alci Bonannee asked Cole to provide Bonannee with personally identifiable information of South Miami Hospital patients. Cole obtained the patient information and provided it to Bonannee, a ringleader in an ID theft and tax fraud scheme, the statement notes.
In April, Bonannee, who was convicted in a trial, was sentenced to more than 26 years in prison, and an accomplice, Sonyini Clay, who pleaded guilty, was sentenced to 10 years, for their roles in the fraud. The case involved the filing of 2,000 false tax returns seeking $11 million in refunds, according to another Justice Department statement. In March, Chante Mozley, who also pleaded guilty in the same case, was sentenced to 42 months in prison.
The breach involving patient records at South Miami Hospital is similar to other recent ID theft and fraud cases involving insiders.
On July 17, the Office of the District Attorney Richmond County in New York announced the indictments and arrests of a Staten Island healthcare worker and four others on charges that include identity theft, falsifying business records and criminal possession of stolen property.
Amanda Zieminski, one of the defendants, is accused of stealing patient information from paper records of a Staten Island doctor's office, South Shore Physicians. The stolen data from more than 80 patients' records was allegedly used to create new debit cards and make cash withdrawals from victim's accounts as well as file false income tax returns to obtain refunds, according to the Richmond County District Attorney.
In another major breach that spanned from 2009 to 2011 at Adventist Health System's Florida Hospital Celebration, an emergency department worker inappropriately accessed 760,000 records, selling some information from those records for profit (see: Dismissed Adventist Lawsuit Resurfaces).
Fraud Prevention Steps
McMillan says healthcare organizations need to be more aggressive in safeguarding patient data from insiders. Key steps, he says, include:
- Use the details of recent fraud cases to educate staff about the possible consequences.
- Implement behavioral monitoring. "In most cases even if the inside perpetrator understands the controls environment and opts to use a manual process to extract the information they will leave a trail by their activity," McMillan says. "That trail will often deviate from their normal activity ... and this change in behavior can be measured and audited."
- Make sure workers are aware they are being monitored. "Ensure they know that they are subject to monitoring electronically, both keystrokes and visually at their work station," he says. "Make sure they know that engaging in this type of activity will result in immediate termination and prosecution."