The first conviction under HIPAA, the United States Health Insurance Portability and Accountability Act, has taken place in Seattle. The US Attorney's office has released the following press release, describing the guilty plea related to the theft of a cancer patient's personal information for ID theft purposes. Interestingly, he wasn't charged under traditional identity theft laws, but only for "wrongful disclosure of individually identifiable health information for economic gain.".

http://www.usdoj.gov/usao/waw/press_room/2004/aug/gibson.htm

August 19, 2004
 

SEATTLE MAN PLEADS GUILTY IN FIRST EVER CONVICTION FOR HIPAA RULES VIOLATION
 

RICHARD W. GIBSON, age 42, of SeaTac, Washington pleaded guilty today in federal court in Seattle to wrongful disclosure of individually identifiable health information for economic gain. This is the first criminal conviction in the United States under the health information privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) which became effective in April, 2003. Those provisions made it illegal to wrongfully disclose personally identifiable health information.
As set forth in the Plea Agreement (also view Information), GIBSON admitted that he obtained a cancer patient's name, date of birth and social security number while GIBSON was employed at the Seattle Cancer Care Alliance, and that he disclosed that information to get four credit cards in the patient's name. GIBSON also admitted that he used several of those cards to rack up more than $9,000 in debt in the patient's name. GIBSON admitted he used the cards to purchase various items, including video games, home improvement supplies, apparel, jewelry, porcelain figurines, groceries and gasoline for his personal use. GIBSON was fired shortly after the identity theft was discovered.

The Government and GIBSON agreed as part of the Plea Agreement, that GIBSON should be sentenced to a term of 10 to 16 months. Under these terms, the Court could order that the term be served either wholly in federal prison, or in a combination of federal prison and either home confinement or community confinement. GIBSON has also agreed to pay restitution to the credit card companies, and to the patient for expenses he incurred as a result of GIBSON's use of his identity.

At a hearing scheduled for November 5, 2004, U.S. District Court Judge Ricardo S. Martinez will determine whether to accept the Plea Agreement, and if accepted, will determine GIBSON's sentence within the 10-16 month range set forth in the Plea Agreement and the length of any supervised release following his prison term. If the Court rejects the Plea Agreement and the agreed upon sentence, GIBSON will have an opportunity to withdraw his guilty plea.

"Too many Americans have experienced identity theft and the nightmare of dealing with bills they never incurred. To be a vulnerable cancer patient, fighting for your life, and having to cope with identity theft is just unconscionable," stated United States Attorney John McKay. "This case should serve as a reminder that misuse of patient information may result in criminal prosecution."

The case was investigated by the Federal Bureau of Investigation (FBI) and is being prosecuted by Assistant United States Attorney Susan Loitz. For further information please contact Emily Langlie, Public Affairs Officer for the United States Attorney's Office at (206) 553-4110.

Thanks to Symtym and GruntDoc for leading me to this release.

Labels: health information, identity theft, information breaches, law enforcement