Feds Get First Privacy Conviction
(August 23, 2004)

A SeaTac, Wash.-based former employee of the Seattle Cancer Care Alliance has pleaded guilty to violating the HIPAA privacy rule, the first criminal conviction under the rule. In a plea agreement with the U.S. Attorney's Office in the Western District of Washington, Richard Gibson admitted to using a patient's name, date of birth and Social Security number to obtain four credit cards between October 2003 and January 2004. He then charged more than $9,100 on two of the cards for video games, home improvement supplies, clothing, jewelry, porcelain figurines, groceries and gasoline, according to federal prosecutors.

Under the plea agreement, Gibson pled guilty to one count of wrongful disclosure of individually identifiable health information. He agreed to accept a sentence of 10 to 16 months, plus restitution to the credit card companies and patient. U.S. District Court Judge Richard Martinez on Nov. 5 will review the agreement and either accept the sentence or impose his own. If Martinez rejects the plea agreement, Gibson will have the opportunity to withdraw his guilty plea. Under the HIPAA privacy rule, criminal use of a patient's information for personal gain is punishable by imprisonment for up to 10 years and a fine of up to $250,000.

The Seattle Cancer Care Alliance fired Gibson after the identity theft was discovered. The FBI investigated the case. A copy of the plea agreement is available on the Department of Justice Web site at www.usdoj.gov/usao/waw/.

Posted to HIPAAcomply 8/23/04