Former Employee of a Florida Medical Center Pleads Guilty to Identity Theft

Medical centers continue to be in the news in connection with their employees using their positions of trust to steal the identities of patients. On March 27, 2014, Wifredo A. Ferrer, United States Attorney for the Southern District of Florida, Jose A. Gonzalez, Special Agent in Charge, Internal Revenue Service Criminal Investigation (IRS-CI), and Ric. L. Bradshaw, Sheriff, Palm Beach County Sheriff’s Office, announced that Eltonya Wiley of Lady Lake, Florida pled guilty for her participation in a wide-ranging identity theft scheme.

According to the Press Release:
As part of her guilty plea, Wiley admitted that she made unauthorized use of medical patients’ Social Security numbers in connection with ongoing identity theft. The government alleged, and Wiley agreed that at least 92 patients of Villages Endocopy near The Villages in Central Florida had their identities stolen by virtue of Wiley’s conduct while she was an employee at that medical facility.
. . .
The scheme involved, in part, stealing the identities of patients at a medical facility in central Florida. Those identities were then used to file fraudulent federal income tax returns in the patients’ names seeking fraudulent refunds, and obtaining fraudulent credit cards which were then used to make fraudulent purchases.
Ms. Wiley pled guilty to:
  • one count of conspiracy to commit wire fraud, in violation of 18 U.S.C. ' 1349 (Count 1) - maximum of 20 years on prison,
  • three counts of wire fraud, in violation of 18 U.S.C. ' 1343 (Counts 4, 6, and 12) - maximum of 60 years on prison (20 years for each count),
  • one count of aggravated identity theft, in violation of 18 U.S.C. ' 1028A (Count 35) - mandatory term of 2 years in prison
Ms. Wiley was the last of six defendants to plead guilty in the case.

To minimize risks of identity theft, providers should only collect the information they need.
Generally, to successfully engage in identity theft, the thieves need the patient's social security number. So, providers should evaluate whether they actually need to collect the patient's social security number. In many circumstances, upon closer examination, many providers will find that they do not need the number. If they do need the number, however, then they should take other appropriate steps to only make the number visible on an as needed basis. Providers using electronic medical records, for example, could make only the last four numbers visible to all staff. Similarly, providers using paper records could keep the social security number separate from the regular patient file.

Aside for implementing administrative and technical safeguards, providers should also consider purchasing appropriate insurance.
Victims of identity theft are increasingly going to the courts to seek remedies against providers whose employees misused information. In Florida, plaintiffs sued
AvMed Health Plans in a class action after the company suffered a data breach. In that case, several of the plaintiffs were able to demonstrate that they were victims of identity theft. That case resulted in a $3 million dollar settlement.


Press Release, U.S. States Attorney's Office, Southern District of Florida, Source of Medical Patient Stolen Identities Pleads Guilty, Mar. 27, 2014,

November 2016

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)