Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Conspiracy to sell patient data case reaches sentencing

Conspiracy to sell patient data case reaches sentencing

A Tennessee man and 5 hospital employees recently received sentencing after being found guilty of conspiring to sell patient information. 


What happened

Between November 2017 and December 2020, Roderick Harvey paid 5 employees of Methodist Le Bonheur Healthcare in Memphis, Tennessee to provide him private patient information. Employees included Kirby Dandridge, Sylvia Taylor, Kara Thompson, Melanie Russell, and Adrianna Taber who provided Harvey names and phone numbers of patients involved in motor vehicle accidents. 

After receiving the information from employees, Harvey went on to sell the data to third parties, including personal injury attorneys and chiropractors. This constituted a clear HIPAA violation for all actors involved. 

In 2023, all employees, who were released from their duties at the hospital, pleaded guilty and were sentenced. Employees faced varying sentences: Dandridge was sentenced to one year of probation and a $25,000 fine; Thompson was sentenced to a one-year probation and a fine of $3,000; Taylor was sentenced to two years of probation; Taber was sentenced to one year of probation and a $1,000 fine; and Russell was sentenced to time served and placed on six months of supervised release. 


What’s new

In 2023, Harvey also pled guilty to conspiring with the former Methodist Hospital employees to “unlawfully disclose patient data information in violation of HIPAA.” 

According to a recent press release, Harvey has finally been sentenced in federal court by a United States District Judge, Thomas L. Parker. The sentencing was announced by United States Attorney Kevin G. Ritz on January 31st. 

Harvey is sentenced to five years of probation, one of which will be served in home detention. He is also required to pay a $50,000 fine. 


What was said

In a statement released by Methodist Le Bonhuer Healthcare, the hospital said, “We take the security of our patient’s private information very seriously. Once we became aware of the situation, we promptly took action and alerted the appropriate legal authorities.”

The hospital further stated, “We’ve cooperated fully with their investigation and ensured each patient who was affected has been notified. While there is no evidence of financial information being disclosed, we are offering free credit reporting for those affected.” 


Why it matters

The case is another reminder of the importance of data security both internally and externally. Employees must be well-informed of their responsibilities and the potential consequences for failing to adequately care for private data. 

Even though individual employees were responsible for this data breach, there can still be larger implications for hospitals who do not safeguard data properly. Employees were successfully able to steal data for over 3 years, emphasizing the need of monitoring data as it enters and leaves the hospital system. 

Related: HIPAA Compliant Email: The Definitive Guide


The big picture

Ultimately, it's the hospital's duty to provide as much protection as possible for patient data. Utilizing a HIPAA compliant email suite can make it easier to monitor and protect data as it enters and leaves a healthcare company emails. 

Try out the Paubox email suite today.  

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.