Grand jury indicts man allegedly responsible for Las Vegas University Medical Center breach

In a follow-up to a HIPAA breach as Las Vegas’ University Medical Center reported last November, the FBI investigation into the matter has resulted in an indictment of the UMC employee allegedly responsible for selling data about medical center patients to personal injury lawyers. The criminal case is being brought by federal prosecutors under the authority of protected health information provisions in HIPAA, and in accordance with the penalties for such violations, the accused could be put in jail for up to five years and fined as much as $250,000. The fact that the investigation has come to this may be slightly less surprising following the announcement this week of the first criminal prosecution under HIPAA to result in jail time, a milestone achieved by federal prosecutors in California. When the Las Vegas matter was first made public, there was speculation in the local media that UMC had little reason to be concerned about the breach, given the rarity of significant penalties resulting from HIPAA violations. The indictment would seem to suggest that HIPAA enforcement is in fact getting stronger since the passage of the HITECH Act. It remains to be seen if the hospital will suffer direct consequences from this incident, presumably based in part on whether anyone can show that UMC was aware or should have been aware of the actions of its employees. Other stories about the investigation have suggested that at least one local physician (not a UMC employee) knew that personal information on patients was being leaked. Both before and after the specific situation under investigation, UMC has had problems with privacy lapses and loss or theft of protected health information. Under the strengthened HIPAA enforcement provisions in the HITECH Act, both federal and state prosecutors would be able to bring civil or criminal action against the hospital, either on behalf of individual patients who suffered some harm due to the breaches, or because of the pattern of HIPAA violations that has emerged since the hospital came under closer scrutiny.