A Miami-Dade County resident has been sentenced to 61 months in prison, followed by two years of supervised release.
Noel Barrientos previously pled guilty to one count of possessing fifteen or more access devices (social security numbers of other people) and one count of aggravated identity theft.
According to court documents, law enforcement executed a search warrant at Barrientos’ residence based on suspected narcotics activity. During the search warrant, officers observed and recovered a total of 15 credit/debit cards that were located throughout the premises all in different names including names of men and women not associated with Barrientos or his residence. Three of the cards were located in Barrientos’ wallet.
Court documents also state that during the search warrant, law enforcement found a computer that contained a file with the names, dates of birth, and social security numbers of 8,678 unique patients. Agents determined that the list came from a doctor’s office located on Sunset Drive in South Miami. A former doctor’s office employee, Gillian Armstrong [1:14-cr-20339], had access to the patient list and sold it to Barrientos. Barrientos sold the names to other individuals who used the fraudulently obtained names to file fraudulent income tax returns. Law enforcement officers also tracked fraudulent income tax return filings to Barrientos’ residence.
In September, 2014, Armstrong was sentenced to 36 months in prison, followed by three years of supervised release for her role in the scheme.
SOURCE: U.S. Attorney’s Office, Southern District of Florida
Not surprisingly, the doctor’s office was not named in either the release or the public court filings, and inspection of HHS’s public breach tool does not reveal any breached entity with the exact number mentioned in the press release. Inspection of the proffer in Armstrong’s case, however, does provide some interesting details about the method and means of the breach:
ARMSTRONG acted as a “thief” in this case, stealing PII for Barrientos who then sold it to third parties. ARMSTRONG became involved in late 2010, early 2011, when she was desperate for money. At the time, ARMSTRONG was a single mother with a debilitating crack cocaine addiction. ARMSTRONG was working for a doctor’s office in South Miami at the time of the theft while she was living out of her car.
During that time-period, ARMSTRONG agreed to sell Barrientos PII stolen from the doctor’s office in exchange for money. At first, ARMSTRONG copied a few names down by hand while at work and sold them to Barrientos. ARMSTRONG was able to access the PII from the doctor’s office through an off-site database company (“the database”). At the time, a1l patient information was accessible by logging onto the database website with a user name and password. Each employee has a unique username and password.
Eventually ARMSTRONG gave Barrientos the username and password to the database account. Barrientos downloaded information in batches and sold it to others. ln turn, Barrientos paid ARMSTRONG. On or about November 18, 2011, ARMSTRONG was fired from the doctor’s office. ARMSTRONG stated that when she told Barrientos that she was fired, he told her that he downloaded whatever number of names he could fit on a USB drive andtold her, “don’t worry.”
Even with that added detail, however, there is nothing in HHS’s breach tool that seems to really match up. By all accounts, the massive/major download occurred in November, 2011. If anyone can figure out which incident this might be, let me know. I suppose it’s possible that the breach was either reported with a different date or different number of affected, or that it was reported but hasn’t yet been added to the breach tool. Comparing a list of doctor’s offices on Sunset Drive in South Miami to entities on the breach tool does not reveal any matches that I can see.
The proffer in Barrientos’s case adds one more detail of note: when law enforcement officers examined the “Bread” file on Barrientos’s computer, the list of over 8,000 patients included the patients’ names, social security numbers, dates of birth, chart numbers, and insurance information. The patients, then, were also at risk of medical identity theft, although there’s nothing in the court records that indicated any reports of that.
why don’t you just write ARMSTRONG a letter and ask her where she worked? I am sure she will tell you. Not joking. Look her up on the BOP website and send her a note. She will discuss it.
I have a question: What do you mean about reporting this to the HHS breach tool. WHo is required to do that? Does HHS require the doctor to do it? What about the US Attorney’s Office or the IRS.? Do they need to report it to HHS?
Thank you.
If you know her well enough to assure me she would answer, why don’t you just tell us?
A HIPAA-covered entity whose patient data has been stolen or breached (as defined by HIPAA) is required to report the breach to HHS. Neither the USAO or IRS have any obligation to do so.