In April 2011, I blogged about two medical office assistants who had been charged criminally under HIPAA for stealing patient information and providing it to others for an ID theft/fraud ring.
Today, I learned from a post by Al Saikali on the Data Security Law Journal that Erica Hall had appealed her sentence to the Eleventh Circuit Court of Appeals on the issue of how to apply sentencing guidelines to counting “victims.” From the ruling:
Appellant Erica Hall (“Hall”) pled guilty to conspiracy to commit bank fraud, in violation of 18 U.S.C. § 1349 (Count 1); conspiracy to commit identity theft and access device fraud, in violation of 18 U.S.C. § 371 (Count 2); and wrongfully obtaining and transferring individually identifiable health information for personal gain, in violation of 42 U.S.C. § 1320d-6(a)(2) (Count 3). When imposing Hall’s sentence, the district court applied a four-level enhancement under U.S.S.G. § 2B1.1(b)(2)(B) because it found that the offense involved more than 50 but fewer than 250 victims. In objecting to the enhancement, Hall argued that the mere transfer or sale of identifying information unlawfully or without authority does not equate to the actual use of identifying information for a fraudulent purpose. Therefore, because the conspirators actually used only identifying information for 12 out of 141 individuals to obtain fraudulent credit cards, Hall argued that the two-level enhancement under U.S.S.G. § 2B1.1(b)(2)(A) was more appropriate because it applies to more than 10 but fewer than 50 victims. The district court rejected Hall’s argument, but we do not.
Would you consider yourself an “identity theft victim” if your data were transmitted to conspirators in a fraud ring – even if they didn’t use your information at all? In this case, it may not matter how you’d feel as much as how the federal sentencing guidelines are to be interpreted. And the manual on sentencing guidelines defines “victim” as:
(i) any victim as defined in Application Note 1; or (ii) any individual whose means of identification was used unlawfully or without authority.” Id., comment. (n.4(E)) (emphasis added).
Because Application Note 1’s definition of “victim” doesn’t apply to this case at all, it boiled down to whether the patients’ information was used. And according to the court, transferring information is not the same as using it.
As I read the ruling, I wondered the same thing that Al Saikali wondered:
… it will be interesting to see what impact, if any, the Eleventh Circuit’s definition of identity theft victim has on the issue of what constitutes cognizable harm for civil litigation purposes? (The Eleventh Circuit recently allowed this data breach class action to proceed).