CEO SUMMARY: Patient identity theft by a phlebotomist, prosecuted and convicted under HIPAA. This is a story whose true dimensions went unreported within the laboratory industry—until now! THE DARK REPORT is first to alert its clients to the possibility that every laboratory and pathology group practice may be at greater risk from internal patient identity theft than previously thought.
HERE’S A NEWS FLASH that may shock laboratory administrators and pathologists all over the country. Federal prosecutors have convicted their first violator of the HIPAA law—and it’s a phlebotomist who stole a patient’s identity!
The implications of this situation are profound. Every laboratory and pathology group practice may be at greater risk for patient identity theft than from violations of HIPAA. This is a story exclusive to THE DARK REPORT.
The intelligence briefings in this issue are designed to help clients and regular readers in three ways. First, to understand the facts behind this case. Second, to learn about overlooked flaws in laboratory procedures that give employees an opportunity to commit patient identity theft. Three, to identify strategies and policies that can reduce risks from laboratory employees who intentionally attempt to steal patients’ identities.
The facts in this case are simple. Richard W. Gibson was a phlebotomist once employed in the lab at Seattle Cancer Care Alliance (SCCA), part of the University of Washington Medical Center system in Seattle, Washington.
In October 2003, Gibson began using protected identity data that he had stolen from a patient receiving treatment for a rare and often fatal form of cancer at SCCA. (See pages 9-10. When the patient began receiving letters from banks and credit card companies thanking him for his business—and, not long after, bills for over $9,000 worth of merchandise that he had not purchased—from his hospital bed he immediately began to question these developments. His efforts triggered a police and FBI investigation which eventually nailed the perpetrator.
Richard Gibson is an experienced phlebotomist who was well-liked by patients at SCCA. Every day, the cancer patient who became a victim of Gibson’s crime, observed him from his hospital bed. The police investigation into the patient identity theft case was solved when Gibson was finally identified by co-workers. They recognized Gibson after a local news station broadcast footage from a surveillance camera videotape that showed Gibson making a purchase with one of the fraudulently-obtained credit cards. Gibson was fired shortly after SCCA learned of the incident.
Following his termination, Gibson had the gall to apply for unemployment benefits. The administrative law judge did not believe his story that he had retrieved the protected patient information from a piece of paper on the floor of a rest room at SCCA. The judge denied his claim, stating that it was his belief Gibson had obtained the information from the patient’s confidential files inside SCCA.
Charged Under HIPAA
A number of factors in the Gibson case caught the attention of federal prosecutors as a violation of HIPAA laws. “Once it was known that the person identified was a healthcare worker, our office and the FBI asked to take over the case from the local authorities,” stated Assistant U.S. Attorney Susan Loitz, of the United States Attorney’s Office of the Western District of Washington.
Gibson’s case did not take long to resolve. In August, 2004, he agreed to plead guilty to charges to “wrongful disclosure of individually identifiable health information for economic gain.” At this time, the national media covered the story because it was the first criminal conviction under the HIPAA law.
Then, on November 5, 2004, Gibson was sentenced by U.S. District Court Judge Ricardo S. Martinez in Seattle. He was sentenced to 16 months in prison and at least $15,000 in restitution. Again, this story caught the attention of national news media. But until this issue of THE DARK REPORT, no one in the laboratory industry had made the connection that Gibson was a phlebotomist—and that this was a case of patient identity theft to which any laboratory and pathology group practice could be vulnerable.
Federal Attorney’s Decision
“We could have charged Mr. Gibson with unlawful identity theft,” explained Loitz, “but the healthcare connection made it more important that a HIPAA crime should be charged.”
Loitz, who prosecuted the case, noted that Gibson “is a phlebotomist who was employed by a covered entity. Mr. Gibson had direct contact with patients. It was…a violation of HIPAA’s criminal provisions since the information had been collected from [the patient] because he was a patient.”
According to Loitz, the sentencing range would not have been any small- er or larger if Gibson had been charged with identity theft alone, or along with the HIPAA violation. “By charging him with HIPAA,” stated Loitz, “we brought attention to the most troubling aspect of the case…that a vulnerable cancer patient was taken advantage of by someone who he had looked to care for him, not to harm him.”
As is true in many federal convictions, Loitz revealed the broader reason for prosecuting under the HIPAA criminal provisions. “We also brought attention to the HIPAA criminal statute itself,” she said. “And perhaps this will raise awareness and help deter future crimes.”
Lab directors and pathologists should know that some healthcare attorneys questioned the decision by the Department of Justice (DOJ) to prosecute this case of patient identity theft under the HIPAA statutes. They were concerned about whether the DOJ might be shifting its overall approach to considering any individual or entity—whether or not a “covered entity” under HIPAA—as being subject to criminal prosecution.
Given the facts of the Gibson case, it is reasonable to assume that laboratories and pathology group practices have greater exposure than previously thought.
Loitz responded to these concerns, stating that the Gibson case was an easy call. “Gibson clearly violated the HIPAA criminal statute” she declared. “He knew what he was doing; he did what he intended to do; he was caught in the act of improperly disclosing the patient information; and so we prosecuted him under HIPAA.”
Loitz also made a point of clearing the employer, Seattle Cancer Care Alliance, of any wrongdoing or non-compliance. “The defendant’s employer cooperated completely with us in the investigation,” stated Loitz. “We did not believe that the employer had culpability for Mr. Gibson’s conduct. We did review the patient protection policies and procedures of the employer, and we were satisfied that there was no fault with the employer,” added Loitz.
THE DARK REPORT considers Loitz’s comments about SCCA to be particularly insightful. It was a healthcare provider which law enforcement authorities and federal investigators considered to be in full compliance with HIPAA mandates and requirements. Yet phlebotomist Richard Gibson was still able to rather easily steal the information needed to successfully commit patient identity theft.
Given the facts of the Gibson case, it is reasonable to assume that laboratories and pathology group practices have greater exposure than previously thought. Obviously, the greatest risk would involve laboratory employees who daily work with sensitive patient information. That would include phlebotomists, data entry people in accessioning, and the coding, billing, and collections staff, among others.
To help laboratory managers and pathologists better gauge the implications of the Gibson identity theft case to their own situation, THE DARK REPORT provides two stories which follow. First is a dual interview with the attorney for SCCA and the privacy director of SCCA. They have advice and insight on how labs and pathology groups can better protect themselves from this type of crime.
“Everyman” Lab Employee
Second is a profile of Richard Gibson and his actions. He was an “everyman” type of employee who surprised everyone by his crime, since he was not under financial pressure.
THE DARK REPORT recommends that every laboratory and pathology group practice take note of Gibson’s conviction under the HIPAA statue. It is timely to reconsider policies and procedures governing access to, and use of, confidential patient information. Your goal should be to take the lessons learned in the Gibson- SCCA case and make it even tougher for employees in your laboratory to commit the crime of patient identity theft.