Today, the U.S. Attorney’s Office for the Southern District of Florida revealed a prosecution stemming from an insider breach impacting Aventura Hospital patients, although I’m not confident I can figure out which Aventura Hospital breach this is related to (see PHIprivacy.net and this site for previous reports of Aventura Hospital insider breaches). Note that the employee reported that to avoid detection, he took screenshots of patient records and then printed out the screenshots. This is a method I’ve noted before on this site and on phiprivacy.net.
United States v. Jesney Eliassaint, Case No.15-2378-MJ-Simonton
On March 23, 2015, Jesney Eliassaint, 33, of Miami, was charged by criminal complaint for his involvement in an identity theft scheme.
According to the criminal complaint, in February 2014, officers with the Miami Gardens Police Department performed a traffic stop of a car for having an expired vehicle registration. Inside the car were several iPads and sheets of paper containing (“PII”) – including names, dates of birth, and Social Security numbers – of various individuals. A subsequent investigation by the USSS revealed that there were approximately 137 different names, with corresponding PII, printed on the sheets, some of which had the word “Patient” written across the top. The USSS determined that the PII found in the vehicle originated from a data breach at Aventura Hospital. The breach had been executed from Eliassaint’s computer in the hospital’s medical billing department. According to Aventura Hospital, computer records revealed that Eliassaint had conducted approximately 4,000 inquiries for patients by their date of birth.
During the investigation, USSS agents interviewed Eliassaint, who admitted to conducting the searches and printing out patient records containing the PII while he was working as a contract employee for an outside company. Eliassaint also told USSS agents that he would take screen shots of the patient records and then print them out to avoid detection. Eliassaint stated that he sold the sheets of paper, containing PII, for approximately $100 per sheet, to several individuals. Eliassaint estimated that he made a total of $2,000 for selling the patients’ information.
The defendant is charged with access device fraud and aggravated identity theft.