Fraud Management & Cybercrime , Governance & Risk Management

Second Defendant Sentenced in EHR-Related Fraud Case

Experts Say Case Spotlights Critical Risk Management Issues
Second Defendant Sentenced in EHR-Related Fraud Case

A second defendant has been sentenced for her role in a Texas conspiracy involving the theft of data from patients' electronic health records that was then sold to support fraudulent claims for payment.

Amanda Lowry of Sherman, Texas, was recently sentenced to 30 months in prison after pleading guilty last year to conspiracy to obtain information from a protected computer, the U.S. Department of Justice says.

“The defendant’s actions not only compromised victims’ sensitive information, exposing them to fraudulent schemes, but also ultimately resulted in unnecessary costs to federal healthcare programs,” said Nicholas Ganjei, acting U.S. attorney of the Eastern District of Texas.

Co-Conspirator Sentenced

Earlier this month, a co-conspirator in the case, Demetrius Cervantes, was sentenced to 48 months in prison after pleading guilty to the same charge as Lowry (see: Defendant in Stolen EHR Data Case Sentenced).

A third defendant, Lydia Henslee, pleaded guilty in March, but her sentencing date has not been set.

In a superseding indictment, Henslee was hit with 10 more charges, including nine counts of unlawfully transferring, possessing and using a means of identification.

EHR Breached

The defendants in the fraud case "accessed a healthcare provider's electronic health records without authorization and obtained PHI and PII," the Justice Department tells Information Security Media Group.

Court documents do not identify the healthcare providers breached in the case or the defendants' employers.

The defendants "did not have authorization to access the computers that contained the patient information. The EHR system was accessed by the defendants, external individuals who did not have work-related access or authorization to access the system," prosecutors say.

Court documents do not provide details of how the defendants allegedly obtained the stolen patient information or how many patients' records were involved in the fraud scheme.

Prosecutors say the stolen patient information was “repackaged” in the form of false and fraudulent physician orders and subsequently sold to durable medical equipment providers and contractors. The defendants obtained more than $1.4 million in proceeds from the sale of the stolen information, which was then used to purchase sport utility vehicles, off-road vehicles, jet skis and other items, the Justice Department says.

Critical Considerations

Some experts say the case serves as a reminder of the importance of strong access management controls.

"Unauthorized access as a root cause of the theft of electronic protected health information in this case should raise three questions," says regulatory attorney Rachel Rose, who is not involved in the Lowry case.

"First, what technical access controls were in place and how often were they monitored - more importantly, how did this happen? Secondly, what do [an entity's] policies and procedures state in terms of prevention, detection and correction of a cybersecurity event? Third, is there a potential False Claims Act case and/or criminal action that could be brought in light of the circumstances?"

Larger Enforcement Trends

The fraud case spotlights "that the DOJ has made both cybersecurity and EHRs two areas of heightened enforcement action," Rose notes.

"With heightened scrutiny by DOJ, the Department of Health and Human Services and other government agencies, no one can afford to be either complacent or cavalier about ignoring their obligations to protect the privacy and security of PHI."

Rose will be a speaker at the Aug. 17-18 ISMG Virtual Cybersecurity Summit: Fraud & Payments Security.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.