Hospital Employee Stole and Sold Patients’ PHI Using WhatsApp Encrypted Phone App

Brooklyn’s Kings County Hospital discovered that one of its former staff in the emergency department has allegedly stolen the protected health information (PHI) of about 100 people and shared the PHI to another guy by using an encrypted mobile phone app.

52-year old Orlando Jemmott was employed for 12 years at Kings County Hospital. Since March 2006 up to April 2018, he was allowed to access the patients’ health records in order to do his work responsibilities, which involves encoding patient information into the record system of the hospital. The patient data that Jemmott encoded included demographic information and specifics of the symptoms and health conditions of patients.

In June 2017, a lady provided the FBI a tip that Jemmott was stealing patient data and selling it to another guy. The lady claimed that Jemmott used the WhatsApp encrypted messaging app to transmit the stolen PHI. The lady also gave Jemmott’s mobile phone number to the FBI along with a photo of his WhatsApp profile. When the FBI acquired a warrant, they searched Jemmott’s phone and uncovered many exchange of communications between Jemmott and Ron Pruitt from Pennsylvania. But it’s not known how the Pruitt disclosed the PHI.

The messages, which were communicated from December 2014 to April 2015, contained the names and telephone numbers of around 180 patients. According to court documents, at least 100 persons had confirmed identities. Brooklyn’s Kings County hospital also said that 98 of the listed individuals were patients in their hospital. Additionally, 88 out of the 98 patient records were illegally accessed.

The lady tipster also gave the FBI printed copies of health data from December 2016 to June 2017. The hospital verified that the data of 49 individuals in the printouts was taken from its electronic records.

Jemmott was only arrested last February 2018 and after two months, Brooklyn’s Kings County Hospital terminated him. But the court allowed him to be out on an $80,000 bond. The FBI later arrested Pruitt in September and the two are hoping to negotiate plea bargains.

Under the HIPAA, covered entities need to record and maintain PHI access logs, which are assessed regularly to monitor potential illegal access. It might be impossible to stop healthcare employees to commit unauthorized PHI access, but, the logs help to discover breaches rapidly and limit the damage. A lot of insider breaches had been going on for years before being detected, and by that time countless patient information had already been exposed.