A federal judge in Seattle last week sentenced a SeaTac, Wash., man to serve 16 months in prison and pay $9,000 in restitution in the first known criminal conviction under the Health Insurance Portability and Accountability Act of 1996, said the U.S. Attorney in Seattle.
U.S. Judge Ricardo Martinez sentenced Richard Gibson, 42, for violating the HIPAA law, which prohibits the wrongful disclosure of individually identifiable healthcare information for financial gain. HIPAA's healthcare privacy provisions took effect in 2003.
In October 2003, Gibson, who was employed at the Seattle Cancer Care Alliance, stole the personal identifying information of a cancer patient to obtain four credit cards in that person's name, then charged more than $9,000 in debt. He bought video games, home improvement supplies, jewelry, groceries and gas and was fired after the identity theft was discovered.
Martinez called Gibson's actions "a vicious attack on someone fighting for his life" and exceeded the prosecutor's recommendation of one year in prison. The patient told the court in a videotaped statement that he "lost a year of life, both mentally and physically, dealing with the stress" of the identity theft, according to U.S. Attorney John McKay.
Gibson pleaded guilty in August. At that time, McKay said: "Too many Americans have experienced identity theft and the nightmare of dealing with bills they never incurred. To be a vulnerable cancer patient, fighting for your life, and having to cope with identity theft is just unconscionable. This case should serve as a reminder that misuse of patient information may result in criminal prosecution."
When Gibson was convicted, the U.S. Justice Department said it was the first conviction under the HIPAA law.