Guilty Pleas in Criminal Insider Breach CasePaper Records Stolen From Hospital Storage Unit
A case involving a former nurse who stole paper records, and, with an accomplice, used the information for identity theft crimes, serves as a reminder for healthcare entities and others about the risks that insiders can pose.
"While many organizations are rightfully focusing on cybersecurity threats, it's important to also maintain vigilance regarding non-cyber threats, such as insiders who may use Social Security numbers or payment card information for fraud," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
Court documents show that Lane Miller, a former nurse at Mercy Health Love County Hospital and Clinic in Marietta, Oklahoma, pleaded guilty March 28 to aggravated identity theft, which is punishable by up to two years imprisonment and a $250,000 fine.
On March 26, Robert Bond, an accomplice in the case, pleaded guilty to conspiracy to commit wire fraud as well as aggravated identity theft and could now face fines as well as 20 years or more in prison.
The prosecutor in the case, Robert Wallace, assistant U.S. attorney in the Eastern District of Oklahoma, tells Information Security Media Group sentencing will take place before the end of the year.
Wallace says the case serves as a reminder for healthcare organizations and those in other sectors about the importance of protecting sensitive data. "Information security is very important for any entity with personally identifiable information onsite," he says.
Accessing Paper Records
Court documents indicate that Miller was an employee of Mercy from March 2010 to October 2016. Wallace tells ISMG that after Miller's employment had already ended, Miller allegedly went into a storage unit at the hospital to supposedly obtain boxes for a move, and then he took paper patient records.
Law enforcement officials executed a search warrant in the case and among evidence collected were paper patient records and laptop computers, Wallace says.
Indictment papers say that from April to June 2017, Lane and Bond used the Social Security numbers and dates of birth of 10 patients to open or attempt to open credit lines totaling nearly $240,000.
The charges filed in January against the two individuals arose from an investigation by the Marietta Police Department, the Love County Sheriff's Office, the U.S. Postal Inspection Service, and the U.S. Secret Service, says a March 26 statement by the U.S. Department of Justice.
How Big Was the Breach?
Mercy Health in September 2017 filed a breach report with the U.S. Department of Health and Human Services about the theft of a laptop and paper/film records containing protected health information for 13,000 individuals.
In a statement issued on Sept. 19, 2017, Mercy Health said that upon discovering the theft on June 23, 2017, it immediate steps to secure the hospital storage unit and cooperated with the law enforcement "to hold the perpetrators accountable."
Mercy is providing all affected patients with one year of free credit monitoring and identity restoration services. It says there is no evidence that files any patients besides the 10 law enforcement identified as victims had their records accessed or acquired without authorization.
Wallace tells ISMG that the patient information spotlighted in the case appears to have been from the paper records taken by Miller.
Mercy Health declined to comment to ISMG about how Miller likely gained access to the storage unit after his employment had ended.
The incident is a reminder for healthcare entities to be mindful of the security and privacy risks posed by employees as well as former staff members.
"Insider cases have been an ongoing problem for the healthcare industry for many years," privacy attorney Kirk Nahra of the law firm Wiley Rein notes.
Often, however, these insider cases get less attention than hacker incidents because they tend to impact fewer people, Nahra says. But they often have direct evidence of harm to specific victims.
"These cases can get prosecuted where the case is consistent with local law enforcement priorities - meaning that the question of whether they will be prosecuted is a question of prosecutorial and law enforcement resources and judgments," he says. "More and more prosecutors are aware of these cases and capable of handling them, so I would expect to see them get prosecuted when the acts are clear and where there is patient harm."
Identity theft continues to be a large problem, and the healthcare sector is a ripe target for identity thieves, Greene, the attorney, notes.
"I occasionally see prosecutors bring charges against identity thieves who use healthcare data, but have not noticed any particular trends," he says. "Many of these prosecutions may not generate significant headlines and instead fly under the radar. While the HIPAA statute provides for criminal penalties for impermissibly obtaining patient information, many prosecutors may instead rely on other legal authority."
Preventing and detecting insider breaches - including those involving potential criminal activity - is an ongoing challenge, experts say.
"It is difficult to defend against such insiders, other than performing background checks, limiting who has access to information that can be used for identity theft, and reviewing audit logs to look for suspicious patterns of access," Greene says. "At the end of the day, though, it is impossible to completely eliminate the risk."
Implementing both physical and electronic security measures to protect patient data from insiders is critical.
"As with all insider cases, companies need to have an approach to ensuring appropriate protections," Nahra says. "This involves a combination of front-end controls - for example, who can access what, etc. - and back-end controls to oversee and monitor behavior," he says. "Making sure employees know that you are watching and that they will get caught and fired and maybe prosecuted [if caught committing a privacy violation] is also relevant. Background checks are often useful, but that only helps if there have been prior problems."
Wallace says neither Miller or Bond had significant previous criminal records.