At the end of May, Rico Prunty was sentenced to 54 months in prison after pleading guilty to aggravated identity theft and a criminal violation of HIPAA.
What happened
According to the US Attorney’s Office, Northern District of Indiana’s press release, Rico Prunty was an employee at an Arizona medical facility. Between July 2014 and May 2017, Prunty accessed patient medical intake forms containing identifiable health information, including names, social security numbers, and medical information.
A more recent press release revealed that Prunty had several co-conspirators, Vincent Prunty, Temika Coleman, and Gemico Childress, to whom Prunty gave the information. His co-conspirators went on to open credit card accounts, or access credit card accounts, with the information obtained.
It’s estimated that Prunty illegally accessed nearly 500 patients’ protected health information. Prunty now faces 54 months in prison followed by 2 years of supervised release and has been fined $132,521.98 in restitution. His co-conspirators also face prison; Vicent Prunty will receive 154 months, Temika Coleman 121 months, and Gemico Childress 134 months.
Why it matters
Rico Prunty’s case is far from the only instance of data being stolen and sold. Recently, in Tennessee, former healthcare workers pled guilty to selling sensitive data.
Read more: Former healthcare workers plead guilty to HIPAA violations.
According to the Department of Human Health Services (HHS), they have been at least 325,577 complaints regarding employee HIPAA violations. Some of these violations have been unintentional, which can result in a lessened sentence.
Intentional and unintentional violations point to a misunderstanding or blatant disregard for the importance of following HIPAA regulations and the penalties for refusing to.
An April survey further revealed the gap in cybersecurity implementation, where many employees in the United States said they understood the value of cybersecurity but did not strictly enforce security procedures.
Read more: New survey reveals gap in cybersecurity implementation.
A culture of lackadaisical implementation can make it easier for individuals to steal data, resulting in compromises that can reflect poorly on all healthcare staff and result in hefty sentencing.
Going deeper
An article from Forbes suggests that it’s easier now than ever to steal medical and identity information because of the digitalization of records. There’s also a large financial incentive, as health information can sell for a high price tag on the black market.
According to Sean Kennedy, VP and GM of Global Health Strategy and Solutions at Salesforce, healthcare workers need to recognize their role in security. Organizations should “empower their workforce by fostering a strong security-first culture.”
The bottom line
These days, security threats seem everywhere–from global hackers like LockBit to accidental or intentional data breaches from within.
Healthcare organizations should do their best to create a security culture that employees understand and feel expected to follow. Hopefully, if more people are aware of the impact of medical identity fraud, it can encourage a safer healthcare community.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
