7.30 Update: The second person associated with this crime was sentenced as a result of "...conspiracy to obtain information from a protected computer and was sentenced to 30 months in federal prison today by U.S. District Judge Sean D. Jordan..." The third person is still awaiting sentencing and we'll try to update this post as we learn more.
Violate HIPAA (in a criminal sense) and go to prison? Well, we don't know if HIPAA was invoked specifically but we read that the IRS is touting "...Fraudster who stole protected health information to fund spending spree sentenced to prison..."
This criminal pled guilty to conspiracy to obtain information from a protected computer on Dec. 4, 2020. As a result, he was sentenced to 48 months in federal prison by a U.S. District Judge. The IRS reports that this criminal and two accomplices breached a health care provider's electronic health record system, stole patient protected health information (PHI) and personally identifiable information (PII), then "repackaged" and sold this PHI/PII in the form of false and fraudulent physician orders to durable medical equipment providers and contractors. The criminals made more than $1.4 million from this breach - but were obviously caught. The other two criminals are scheduled for sentencing soon.
There are more details, including anti-kickback violations, the entire set of charges for each criminal, etc. if you click the graphic below. We are posting this, as we are often asked if a HIPAA Security Officer can go to jail if their program isn't compliant. While we cannot dispense legal advice, we can observe that we are unaware of any personal charges brought against a Covered Entity or Business Associate workforce member outside of deliberate criminal activity as described above. We'd bet it's safe that a HIPAA Officer trying to comply with HIPAA and protect PHI may not always feel great about the effectiveness of their program - but that they are safe from an orange jump suit.
Stay (HIPAA) safe,