CEO SUMMARY: It was a case of a well-liked lab worker acting in rogue fashion to steal and use the identity of a patient to commit financial fraud. Within laboratories, employees in phlebotomy, accessioning, data entry, coding, billing, and collections often have access to sensitive patient information. In positions with low hourly wages and high turnover, they may, like Gibson, find the temptation to be too much to resist.
TODAY PHLEBOTOMIST Richard. W. Gibson sits in a federal jail serving a 16-month sentence for patient identity theft. He must also pay no less than $15,000 in restitution.
His crime raises a fundamental question that must be answered by every responsible laboratory and pathology group: “how good is our lab’s system and organization at protecting us from a lab employee who intends to commit similar types of fraud and patient identity theft?”
To help answer that question, THE DARK REPORT offers a profile of Gibson, who worked for several years in laboratories around Seattle, both as a phlebotomist and doing processing work in the laboratory.
By his own admission, Gibson stole patient identity information from the hospital where he worked in the laboratory. His employer at that time, the Seattle Cancer Care Alliance (SCCA) is a hospital which is part of the University of Washington Medical Center in Seattle, Washington.
At the time of his crime Gibson, 42, was a resident of SeaTac, Washington. To patients and co-workers, he was considered polite and good-natured. He was also good enough at his profession, that, in recent years, he taught classes in phlebotomy at a local community college.
Charged Under HIPAA
Once identified as the suspect in this case of patient identity theft, the United States Attorney for the Western District of Washington charged Gibson with “disclosing individually identifiable health information of a patient” receiving treatment at the health care provider at which Gibson was employed, with intent to use that information for personal gain. Specifically, the U.S. Attorney’s office cited Gibson’s disclosure of the protected information to AT&T Universal Card for the purpose of obtaining a credit card for his personal use.
In fact, Gibson used the identity data he had stolen to open credit card accounts in the patient’s name with four different companies, including AT&T Universal Card, First USA Visa, Chase Manhattan Bank, and Fleet Credit Card Services. Using the AT&T card and the First USA Visa card, he ran up $9,139.42 in charges for everything from video games and porcelain figurines to home improvement supplies and Christmas presents for his wife and five children.
Eric Drew, 35, who was undergoing chemotherapy treatment for acute lymphoblastic leukemia, started getting mail from banks and credit card companies in response to new accounts that had been opened. During the next several months, often from his hospital bed and in a weakened state from therapies, Drew investigated this case. Drew’s breakthrough came when he caught the attention of a local TV news reporter.
When that television station broadcast a video of Richard Gibson allegedly in the act of using one of the fraudulently obtained credit cards, fellow-employees recognized Gibson and turned him in. Gibson was fired from his job shortly thereafter. A recording was made of Drew making a victim’s statement from his hospital bed and was played in court when Richard Gibson was sentenced to 16 months in prison for violating HIPAA (Health Insurance Portability and Accountability Act).
For laboratories and pathology groups, the actions by Gibson, a laboratory employee, to steal a patient’s identity and open credit accounts under that name is a warning. At the time he committed this crime, he was not under financial or other pressure. Managers and co-workers had no hint of either his intent nor of his crime.
Lab employees who are paid a low hourly wage in positions that have high turnover are a definite source of risk for patient identify theft. In areas such as phlebotomy, accessioning and data entry, coding, billing, and collections, these type of employees often have access to a patient’s personal information. It would be timely for labs and pathology groups to review their exposure to this type of crime.
Patient Eric Drew Battles Cancer & Fraud
IT WAS THE FINANCIAL IDENTITY of patient Eric Drew which was stolen by phlebotomist Richard W. Gibson.
Now 35, Drew, a resident of Los Gatos, California, had been diagnosed with acute lymphoblastic leukemia (ALL). In the fall of 2003, he traveled to the University of Washington Medical Center and the Seattle Cancer Care Alliance (SCCA) to receive advanced treatments for his disease. Drew’s disease was treated with advanced molecular therapies and he is familiar with several molecular diagnostic tests.
On the same day in 2003 that Gibson was alleged to have opened a new credit card account with AT&T Universal Card under Eric Drew’s name, Drew was posting the following update on his Website, which he used to stay in touch with family and friends and to support fund raising for acute lymphoblastic leukemia (ALL):
“I have had to become an overnight molecular biologist to figure out how I want to get through this. If you are interested, they do these tests (very expensive) to see if my bone marrow has any bad stuff in it. One is called a FISH test where I think they spread out 1,000 cells and look though an infrared computerized microscope that looks inside cells and scans the DNA for abnormalities. Pretty cool technology! The other is an even more sensitive PCR test. I have no clue as to how that one works. I should do some Internet surfing I guess.”