Conviction for Former Tampa Hospital Employee Following PHI Theft and Tax Fraud

A former staff member of Tampa General Hospital has been convicted of wrongful disclosure of individually identifiable health information and wire fraud.

Shanakia Benton was accused of illegally obtaining the protected health information of patients during the time she was working at Tampa General Hospital. According to official court documents, between June 2011 and December 2012, Benton accessed the computer system of Tampa General Hospital and printed out and illegally removed the individually identifiable information of 644 patients. The stolen data contained names, Social Security numbers, dates of birth, addresses, and medical diagnoses.

In addition to using the data to file fraudulent tax returns in the names of the victims, Benton planned to sell the stolen data to other people. In total, Benton submitted 29 fraudulent tax returns totaling $226,000.

On a previous occasion Benton had signed a document stating she knew the rules regarding the accessing of patient information and was aware that she was required to protect the privacy of patients at all times. Benton’s actions were identified and she was arrested. In May 2016 she pleaded guilty to the offenses in Court.

Recently, U.S. District Judge Susan C. Bucklew, a senior judge of the United States District Court for the Middle District of Florida, sentenced Benton to serve three years in jail for the offenses she committed. Benton must also pay back the $77,239 in fraudulent tax refunds she received from the IRS.

The Department of Health and Human Services’ Office for Civil Rights recently highlighted the risk of insider theft of protected health information. Covered bodies were warned that insider data theft is one of the commonest causes of healthcare data violations.

It is not possible to prevent healthcare staff from accessing patient information, although policies and procedures should be put in place to ensure improper ePHI access is rapidly found. Access logs should be recorded for all ePHI access attempts and those logs should be regularly looked over.