According to a press release from the US Attorney’s Office for the Southern District of New York, two individuals — Defendant 1 and his romantic partner, Defendant 2 — pleaded guilty to conspiracy to commit wire fraud and bank fraud in connection with a scheme to fraudulently obtain approximately $1.6 million in pandemic relief funds. The scheme, which involved the use of stolen social security numbers and other personally identifiable information (PII) belonging to hundreds of victims, resulted in nearly $1 million in actual losses.
From at least 2020 through 2022, the defendants used the stolen PII to obtain COVID-19 stimulus checks, tax refunds from the Internal Revenue Service (IRS), and unemployment insurance benefits from the New York State Department of Labor. They opened hundreds of debit card accounts in victims’ names and had the cards mailed to their own addresses and those of family members in order to access the funds.
The pair acquired this information from multiple sources, including a hospital in the Bronx where Defendant 1 had worked as a business clerk for nearly a decade. In 2020, he was terminated after an internal systems audit revealed that he had improperly accessed the protected health information (PHI) of at least 4,005 patients, which was later used in the fraud scheme.
As a result, Defendant 1, 40, of Hackensack, New Jersey, also pleaded guilty to wrongful disclosure of individually identifiable health information. That charge carries a maximum sentence of 10 years in prison. Defendant 2, 31, of the Bronx, New York, faces only the conspiracy charges, which each carry a maximum sentence of 30 years.
Defendant 2 pleaded guilty on July 28, 2025, and is scheduled to be sentenced on November 5, 2025. Defendant 1 pleaded guilty on August 6, 2025, and is scheduled to be sentenced on December 1, 2025. The defendants also agreed to be jointly and severally liable for $951,618.20 in forfeiture and the same amount in restitution.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and Security Rule require covered entities to implement safeguards that protect the confidentiality, integrity, and availability of PHI, including electronic PHI (ePHI). This includes implementing appropriate workforce access controls and internal monitoring to prevent impermissible use or disclosure of PHI. Healthcare organizations must be especially vigilant in ensuring that staff do not improperly access or misuse patient information for personal gain or other unauthorized purposes.
Discussion Points
- Review and update policies related to HIPAA, PHI, and privacy. Ensure they include detailed access controls, address employee use and disclosure limitations, and outline consequences for unauthorized access or misuse of patient information. Facilities may benefit from working with an external consultant to ensure these policies align with best practices and current regulatory expectations.
- Provide comprehensive HIPAA, PHI, and privacy training to all staff upon hire, annually, and whenever policy updates occur. Consider offering scenario-based training that reinforces proper handling of PHI and highlights the risks of impermissible access or disclosure, especially in high-risk areas such as medical records, admissions, and billing. Med-Net Academy offers a course, Data Security 3: Access Privileges, which covers how to restrict access to PHI to only those entities with access privileges, ensure the privacy and security of PHI, manage unsecured health information to prevent unauthorized use, adhere to emergency access policies, and fairly and equitably apply disciplinary processes for privacy violations.
- Conduct regular audits of access logs and patient record activity to identify unauthorized access or suspicious patterns. Use audit findings to validate staff compliance and refine security measures where necessary, ideally in collaboration with experienced compliance consultants.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*