Hospital Theft Leads to HIPAA Criminal Charges

by | Jun 14, 2011 | Data Breach Laws, Government Enforcement

Hospital Theft Leads to HIPAA Criminal Charges

An Alabama woman has been slapped with criminal charges in connection with the theft of patient information from Trinity Medical Center in Birmingham, Alabama, as reported by The Birmingham News.  Section 1320d-6 imposes criminal penalties where any person knowingly uses a unique health identifier or obtains or discloses individually identifiable health information in violation of HIPAA. 

The young woman, identified as Chelsea Catherine Stewart, allegedly stole paper surgery schedules from a closed patient registration area at the hospital while visiting a patient.  Stewart was arrested the beginning of June after hundreds of pages of the schedules were found in the house where she was staying by police in connection with an ongoing investigation for mail theft and credit card fraud.   

The schedules contained the names, dates of birth, social security numbers and certain medical information of approximately 4,500 patients of the hospital.  In addition to the patient information, an affidavit by postal inspector John Bailey stated there were handwritten notes with information of other individuals which could be used for identity theft and a “to-do” list of sorts for fraud.  Notes allegedly read, “Get hospital records together and run credit reports on people to get info.”  

The notice of the theft on Trinity Medical Center’s website states,

“All stolen information has been recovered….The hospital has no reason to believe this information has been or will be used in a way that would cause harm.” 

However, Trinity Medical Center will be offering free credit monitoring for those affected patients.  In addition to the notice on its website, the hospital also notified affected individuals of the theft by mail.

If convicted, Stewart could face the maximum criminal penalties under §1320d-6 for “intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm” and up to 10 years in jail and $250,000 in penalties.  Stewart also faces unrelated charges of credit card fraud and breaking into a vehicle.  

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives