A 55-year-old Kentucky woman was sentenced on July 3, 2025, to five years in prison, followed by three years of supervised release, for obtaining a controlled substance by fraud and for the wrongful disclosure of individually identifiable health information.
According to court documents and statements made in court, the defendant worked as a travel nurse at a West Virginia hospital from September 2021 until February 2022. During that time, she unlawfully accessed and used individually identifiable health information of patients at the hospital to divert hydromorphone, an opioid, for her personal use.
To carry out the scheme, the defendant fraudulently obtained the hydromorphone from automated controlled substance dispensing machines at the hospital. She used her personal biometrics to access the machines and a patient’s individually identifiable health information to begin the process of checking out hydromorphone for that patient. When the machine’s secure drawer opened, she siphoned off a portion of the drug from its vial and diluted the remaining contents with another substance to make the vial appear full. She then canceled or voided the transaction to conceal the theft.
The defendant admitted to repeatedly using individually identifiable patient health information to obtain hydromorphone under false pretenses for personal gain between approximately September 17, 2021, and February 1, 2022.
As a result of the case, the West Virginia Board of Registered Nurses has indefinitely suspended the defendant’s privilege to practice nursing in West Virginia.
The defendant was sentenced to two years in prison for obtaining a controlled substance by fraud and to three years in prison for the wrongful disclosure of individually identifiable health information, with the sentences to run consecutively. The court concluded that the defendant’s criminal conduct warranted an upward variance from the advisory guideline range of four to ten months in prison.
Compliance Perspective
Issue
The unauthorized use of controlled substances by healthcare staff and the wrongful disclosure of individually identifiable health information are serious violations of federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA). Drug diversion in care settings not only compromises resident safety and health outcomes but also constitutes abuse, neglect, and misappropriation under long-term care regulations. Likewise, accessing and using protected health information (PHI) without a legitimate purpose or proper authorization breaches resident privacy rights. Facilities must implement safeguards to prevent these violations by maintaining strong policies, providing staff education, and monitoring for compliance.
Discussion Points
- Review your policies and procedures related to the handling of controlled substances and PHI. Ensure policies clearly outline processes for access, storage, dispensing, documentation, and disposal of medications, as well as the appropriate use and protection of PHI. Policies should also define staff responsibilities, prohibited behaviors, and protocols for responding to suspected violations.
- Provide regular, documented training to staff on the prevention of drug diversion and the proper handling of PHI. Training should include recognizing warning signs of diversion, understanding HIPAA privacy rules, reporting procedures for suspicious activity, and the consequences of violations. Reinforce ethical standards and staff duties regarding patient safety and confidentiality.
- Regularly audit medication dispensing records, waste logs, and access to PHI. Verify that access to controlled substances is properly authorized and documented, and that PHI is accessed only for legitimate clinical reasons.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*