A woman from New York received a probation sentence averting imprisonment for a criminal violation of the Health Insurance Portability and Accountability Act (HIPAA). She is also required to pay restitution of approximately $13,000.
On March 23, 2023, 53-year-old Tonya D’Agostino of Farmington, New York sent a parcel through USPS Priority Mail to someone in Medina, New York. The parcel included files that contained four individuals’ personally identifiable health information, or data categorized as protected health information (PHI) under HIPAA. The data was acquired without the individuals’ consent, and D’Agostino wasn’t authorized to share the data with the person receiving the package. The data was shared to extort a payment of $216,000.
The Federal Bureau of Investigation (FBI) looked into this incident of data privacy violation resulting in the arrest of D’Agostino. Tonya was accused of a HIPAA violation. D’Agostino filed a plea agreement that stated her agreement to plead guilty to a count of Misdemeanor Information for violating Title 42, United States Code Sections 1320d-6(a)(2) and (b)1, which involve illegally accessing and sharing personally identifiable health information.
Individuals proven to commit HIPAA violations can face long jail terms, sizeable penalties, and other sanctions. This is true even for healthcare entities that commit HIPAA non-compliance. Because of D’Agostino’s plea agreement, she was sentenced to a maximum of 1 year in prison, issued a penalty of up to $50,000, and will also be subject to a mandatory $25 special evaluation and monitored discharge of around one year. During sentencing, Chief U.S. District Judge Elizabeth A. Wolford did not enforce a custodial sentence but rather gave D’Agostino a one-year sentence to probation and directed her to pay restitution amounting to $13,410.42.
