In discussing the recent Ponemon survey, I noted that the respondents did not seem to include anyone whose information was stolen for tax refund fraud – an all-too-prevalent crime in Florida. Here’s another example.
Ebony Edwards pleaded guilty last week to conspiracy to commit aggravated identity theft, to file false claims against the government, and to theft of government money or property. She faces a maximum penalty of 5 years in federal prison. Her plea was announced by Acting United States Attorney A. Lee Bentley, III of the U.S. Attorney’s Office for the Middle District of Florida.
According to the plea agreement, Edwards was employed with a health care provider and obtained the personal identifying information of at least 11 patients, including names, social security numbers, and dates of birth. Edwards transmitted the information to a conspirator via text messages using her cell phone. The co-conspirator then used that information to file false income tax returns.
The indictment indicates that Edwards was employed by a healthcare provider in Lee County, but does not name the healthcare provider. Her participation in the scheme extended from October 2011 through August 2012.
Having been reporting on these types of cases for a while now, I’m no longer surprised that the healthcare facility or provider isn’t named in press releases or court filings. Tonight, however, it dawned on me that perhaps one reason that these criminals aren’t also being charged with criminal violations of HIPAA is that to prove those charges, the prosecution would have to name the healthcare provider from whom the patient data were stolen.
So… are U.S. attorneys shielding breached entities by not charging criminal HIPAA violations? Anyone have any thoughts on that or first-hand professional knowledge?