The U.S. Department of Justice announced indictments for a criminal ring involving individuals working at multiple facilities in Alabama. Other individuals in the fraud ring were former employees of a hospital located on Ft. Benning Army base.
The ring allegedly used personal information of those served by the facilities to file tax returns in 2011 and 2012, resulting in over $20 million in fraudulently obtained refunds.
As many as 500 young adults who visited one of the State of Alabama’s 65 Health Department facilities in the last several years may had their personal information stolen by the former employees. Personal information was also stolen the Alabama Department of Corrections and an unnamed Alabama state agency and a call center in Columbus Georgia.
Tracy Mitchell, a former employee of a Martin Army Hospital on Fort Benning Army base, was indicted for 8 counts of wire fraud and 8 counts of aggravated identify theft on Feb. 5, 2014. The indictment alleges that Mitchell knowing used the names and Social Security numbers of eight individuals to commit wire fraud by obtaining income tax refunds totaling over $20,600 in 2013.
A superseding indictment filed on May 1, 2014 alleges that Mitchell, along with 9 other individuals, committed additional wire and mail fraud in similar tax fraud schemes, submitting fraudulent tax returns that resulted in over $20 million in claims between January 2011 and December of 2013. As many as 7,000 or more false tax returns were filed during the large-scale operation, according to the Department of Justice.
While an investigation is ongoing, the Department has informed the individuals that their information, including names, birth dates and Social Security numbers, may have been printed by former employees without authorization with the intent to be used in a tax fraud scheme. The individuals, mostly born in 1996, were targeted for their age, as most 18-year-olds are filing taxes for the first time.
Covered entities should be aware that IRS tax fraud is a newer and widespread enterprise that is easy and can be perpetrated by unsophisticated individuals. The information in patient registration systems provide everything that is needed to perpetrate this fraud. The controls to safeguard against this improper and unlawful use of protected health information include:
- Access controls. Access to patient records should be limited based on the job description as determined by the minimum necessary analysis
- Unique User ID. All users must use their own, unique user ID when accessing software. Passwords should be known only to the individual. This control insures that individuals are accountable for their actions.
- Software Audit Trails. Software used for medical software should include audit trails to track all activity by end users, and these audit trails must be properly configured. Briefly, the software should track everything that an individual does including what records are examined, modified or deleted. Note that even in 2014, nine years after the HIPAA security rule first mandated that software used to process PHI include audit trails, some software still does not include robust audit trails.
- Audit Program. Covered entities must have an internal audit program to monitor the use of their software. Audit strategies should be created based on the highest probability violations.
- Employee Sanctions. When employee violations are discovered, covered entities must have an effective sanctions program to deal with the improper behavior.
All of these controls, each one a requirement of the HIPAA Security rule, work together to help protect against the kind of violation that is described above. In many cases, the access controls will not prevent the improper use. However, the auditing program will detect improper uses. The employee sanctions will deter the employee from future violations, and as word gets around the organization that employees are punished for misbehavior, there is a deterrent effect that reduces future violations.
Negligent employee behavior can lead to unintentional breaches of PHI, too, such as the breach that was caused by the employee of a call center that was contracting for the Connecticut Health Exchange. We blogged here about several additional controls we advised in that situation that can also help protect PHI at your organization.
