DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Four women indicted for stealing $750K in merchandise using patients’ information two of them allegedly stole while employed at medical practices

Posted on October 18, 2013 by Dissent

Associated Press reports:

Four women have been indicted on charges of stealing more than $750,000 in merchandise using personal information obtained from patients in medical offices where two women worked.

A federal grand jury in Baltimore returned the indictment on Thursday. The indictment alleges that 27-year-old Michelle Jernell Cole of Baltimore, and her sister, 30-year-old Chanell Cole of Owings Mills, worked in medical practices.

Prosecutors say the Cole sisters used the information of nearly 50 patients and with their co-defendants, took over credit accounts at department stores and bought items for their personal use.

Also indicted in the alleged conspiracy are 36-year-old Denise Wearing and 39-year-old Yolana (sic) Welch, both of Philadelphia.

SOURCE: Washington Post

AP does not report which medical practices or offices the women worked in, and given that less than 500 patients were involved, we are not likely to see this on HHS’s public-facing breach tool.  PHIprivacy.net was able to uncover the identity of the practices in an affidavit in support of the criminal complaint involving Yolanda Welch.

The case against Welch arose in 2012 after the U.S. Secret Service was contacted by Macy’s Special Investigation Unit, who had been receiving reports since 2010 from approximately 100 customers that their accounts had been misused. In investigating their complaints, Macy’s discovered that about 60 of the 100 customers had been patients or employees at one of four medical practices connected to Michelle Cole or Chanell Cole. The four practices were:

Lynn Billingsley, M.D. (at Good Samaritan Hospital) (8 victims)
MedStar Health Inc. hospitals (4 victims)
Padder Health Services, LLC (7 victims)
BW Arthritis and Rheumatology (33 victims)

According to the affidavit attached to the complaint, Dr. Billingsley confirmed that Chanell Cole had been in her employ from August 2008 to May 2010, and had been fired for writing fraudulent prescriptions. During the time of her employment, she had unfettered access to patient information as well as access to a MedStar Health database.

Chanell Cole’s LinkedIn profile, uncovered by PHIprivacy.net,  indicates that as of August 2013, Cole had been employed as a store manager at Laila Rowe for three years, but prior to that, she was employed by Dr. Billingsley as a medical office assistant at Good Samaritan Hospital from July 2008 – July 2010.  She describes her duties this way:

Customer service greeting patients as they enter the practice or when they make an inquiry by phone. Record keeping on a daily basis. Scheduling for patients within the practice and arranging for hospital admissions for patients who need further attention. Billing and coding.
Accounts receivable/payable & bookkeeping. Dealing with insurance claims, collection and coding. Patient medical history collection and medical exam preparation.

It takes a certain amount of chutzpah to list your former employer when you were allegedly fired for writing fraudulent prescriptions.

Chanell’s sister Michelle Cole  was employed by Padder Health Services from June 2010 until her firing in February 2012. She, too, was fired for writing fraudulent prescriptions and she, too, had access to patient information while employed there. She was subsequently employed by BW Arthritis and Rheumatology from February 2012 to February 2013 and had access to their patient information database.

Parenthetically, I note that the defendants were allegedly able to steal patients’ SSN from the patient databases they had access to and that Macy’s only required customers calling in orders to provide their name, address and Social Security number to place an order on a credit account. If the medical practices had not collected patients’ SSN and/or if Macy’s didn’t use SSN to authenticate, some of this crime might have been prevented.

Of course, an indictment is not a conviction and everyone is presumed innocent until any charges are proved.

 


Related:

  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • North Country Healthcare responds to Stormous's claims of a breach
  • Texas Enacts Electronic Health Record Data Localization Law
Category: Health Data

Post navigation

← Half Of Federal Agency Security Breaches Caused By Lack Of User Compliance
VA says its patient records weren't compromised →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hackers post stolen St. Paul data online as efforts to reset city employee passwords surge forward
  • Justice Department Announces Coordinated Disruption Actions Against BlackSuit (Royal) Ransomware Operations
  • NL: Hackers breach cancer screening data of almost 500,000 women
  • Violent Crypto Crimes Surge in 2025 Amid Massive Data Leaks
  • Why Ransomware Attacks Are Decreasing in 2025
  • KR: Yes24, the largest Internet bookstore in Korea, suffered its second ransomware attack in two months
  • Korea wins world’s top hacking contest for 4th consecutive year
  • 7-Zip Vulnerability Lets Hackers Write Files and Run Malicious Code
  • Connex Credit Union notifies 172,000 members of hacking incident
  • Federal judiciary says it is boosting security after cyberattack; researcher finds new leaks (CORRECTED)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Navigating Privacy Gaps and New Legal Requirements for Companies Processing Genetic Data
  • Germany’s top court holds that police can only use spyware to investigate serious crimes
  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.