Paroled Lab Tech Indicted for ID TheftCharged With Using Patient Information for Credit Fraud
A Nevada medical lab technician who had previously been convicted for Medicaid fraud has been indicted on charges of committing identity theft tied to credit card fraud while out on parole.
See Also: Data Center Security Study - The Results
Legal experts say the case is a reminder to healthcare entities and their business associates to conduct background checks on prospective employees and take other measures to prevent and detect breaches involving insiders.
In an Oct. 28 statement, the U.S. Department of Justice said a federal grand jury on Oct. 27 indicted Sherice Joan Williams, of North Las Vegas, on one count of illegal use and disclosure of patient health information and one count of aggravated identity theft. Williams pleaded not guilty to the charges. The FBI handled the investigation in collaboration with local police.
Prosecutors say Williams, between about Dec. 1, 2014, and Jan. 27, 2015, while working as a laboratory technician at an unnamed Las Vegas pediatric cardiology practice, allegedly accessed a patient's information without authorization and then used it to apply for credit cards without the patient's knowledge.
Previously, Williams was convicted on a felony charge of submitting false Medicaid claims, according to a Nov. 4, 2013, statement from the Nevada's state attorney general's office. She was then sentenced to serve 12 to 48 months in prison and pay about $10,000 in restitution, penalties and costs.
In that case, prosecutors alleged that Williams, while working for a North Las Vegas behavioral health services firm, had submitted false documentation for services she never provided to a Medicaid recipient. The investigation found that Williams submitted progress notes and subsequent Medicaid claims for time periods where the Medicaid recipient was not receiving the behavioral health services, according to a statement from the Nevada state attorney general's office. The fraud occurred between February and May 2012.
Nevada parole board records indicate that even though Williams was sentenced in November 2013 to serve one to four years for the Medicaid fraud crimes, she was granted parole from a state prison a few weeks later, on Nov. 25, 2013, and then was released from prison on Jan. 22, 2014. Parole was granted because Williams had earned credits while serving another concurrent sentence for a previous fraud-related case, a Nevada parole board spokesman says.
Parole records indicate that Williams' parole was subsequently revoked on March 19, 2015, and she is currently serving out her Medicaid fraud sentence, the spokesman says.
Crane Pomerantz, assistant U.S. Attorney in the Nevada district who is lead prosecutor in the Williams case, declined to comment on the case or the defendant's previous criminal record, and how that potentially could affect sentencing if Williams is convicted on the new ID theft and criminal HIPAA violations.
In a statement, prosecutors note that if convicted, Williams faces up to 10 years in prison on the health information charge and a minimum of two years consecutive on the aggravated identity theft charge, plus maximum fines of $250,000 on each count.
Healthcare fraud experts say the Williams case is a warning to other healthcare entities and business associates about the need to scrutinize prospective and current workforce members.
"In commentary to the HIPAA Security Rule, the Department of Health and Human Services states that 'the need for and extent of a screening process is normally based on an assessment of risk, cost, benefit, and feasibility as well as other protective measures in place,'" notes privacy attorney Adam Greene of the law firm David Wright Tremaine.
"Organizations may wish to consider what information individuals will have access to, and what is the risk that they will use that information for their own financial gain, such as for identity theft purposes. This may lead to more focused background checks, with more stringent standards applied to workforce members who will have access to Social Security numbers, credit card numbers and other high-risk information."
While background checks can help vet employees, they're not foolproof, notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
"Background checks are important, and healthcare companies should do them generally, but they aren't perfect," he says. "Insider threats are a real and significant issue. In my personal experience, insider problems are far more likely to lead to actual harm than many external breaches."
Insiders with bad intentions can take exactly what they need for bad purposes, Nahra says. "This is a consistent and ongoing problem," he says. As a result, healthcare organizations must educate their staff on the consequences of inappropriate data access and then monitor their activity, he says.
"People have to know they will get caught and that they will get fired," he says. "But it is hard to balance access to data to get your job done with strong controls and an effective monitoring problem."
The recent attention on major cyberattacks in the healthcare sector should not divert organizations from addressing insider threats, Nahra stresses. "But sometimes the focus on hackers ... distracts from this current, ongoing, significant problem with insider threats."