A Texas woman will spend more than two years in federal prison in a HIPAA-related case for her part in “breaching” what the federal government called a “protected computer” owned by an unidentified health care provider. The 30-month sentence U.S. District Judge Sean D. Jordan imposed on Amanda Lowry in July stems from her December guilty plea to the charge of conspiracy to obtain information from a protected computer. Two others have also pleaded guilty in the case; one is awaiting sentencing.
The case serves as yet another reminder of the reality—not just the threat—that thieves, perhaps working on the inside, will steal and monetize protected health information, sometimes running it through a wide and complicated operation. If and when they are caught, the consequences for them can be severe, and covered entities and business associates are also left picking up the pieces and, hopefully, hardening their security.
The first person sentenced in this case was Demetrius Cervantes. After his guilty plea in March, Cervantes was sentenced to 48 months in prison, according to Acting U.S. Attorney Nicholas J. Ganjei of the Eastern District of Texas, who also announced Lowry’s sentencing. The third individual who pleaded guilty, Lydia Henslee, has not yet been sentenced and has multiple other charges against her.
In his announcement, Ganjei referred to the trio as part of a “fraud ring who used proceeds from stolen information to purchase an array of luxury items.”
DME Orders Were Fabricated
According to the government, the three accessed a provider’s electronic health record “in order to steal protected health information and personally identifiable information belonging to patients.” Once pilfered, the information was “repackaged” as “false and fraudulent physician orders and subsequently sold to durable medical equipment” (DME) companies.
Lowry and the others, the government alleged, “obtained more than $1.4 million in proceeds from the sale of the stolen information,” which they spent on “sport utility vehicles, off-road vehicles, and jet skis,” among other items.
As a result of the guilty pleas, various assets, including a 2019 Land Rover and several all-terrain or off-road utility vehicles, were forfeited.
Henslee’s other charges relate to the first case but go beyond it.
‘Patient Lead Companies’ Were Reportedly Used
In November she was named in a 10-count indictment “with one count of conspiracy to unlawfully transfer, possess, and use a means of identification, and nine counts of unlawfully transferring, possessing, and using a means of identification. If convicted, she faces up to 15 years in federal prison,” Stephen J. Cox, then the U.S. attorney for the Eastern District, announced in December.
In addition, Henslee was charged in a separate superseding indictment along with three Florida men, including Steven Churchill, and one from Texas, with “one count of conspiracy to commit illegal remunerations,” a violation of the Anti-Kickback Statute. This group of individuals, the government said, “collectively obtained more than $2.9 million in proceeds from the criminal scheme” during the same eight-month period. Their cases are still pending.
According to Churchill’s unsuccessful attempt to have his indictment overturned, he allegedly used “patient lead companies” to provide individual Medicare patient information to Henslee and another indicted individual who “used the information to create fictious (sic) prescriptions for dental braces, which they later sold” to a third person.
This person “billed Medicare $3,781,105 for the prescriptions, part of which he distributed to co-defendants as kickbacks for their role in the scheme,” court records say.
Sentence Follows Recent Case
While criminal prosecutions related to HIPAA violations are rare, the sentencing of Lowry and Cervantes to jail time comes on the heels of the case of Jennifer Lynne Bacor, who was given five years’ probation in June after pleading guilty to one count of wrongfully obtaining individually identifiable health information under false pretenses.
Nearly four years earlier, Bacor shared with a family friend a photo of her former boyfriend’s wound that she obtained through the medical records system at the hospital where she was a patient care technician.
She had already been fired by the time she was indicted. As part of her probation, Bacor, who spoke exclusively to RPP about her situation, was also required to refrain from working in health care for five years.