The FBI's recent arrest of former Florida Hospital employee Dale Munroe for selling accident-victim information to doctors and attorneys has raised some interesting questions about the protection of medical information, the investigation of cyber crime, and the role of system logs in cyber crime prevention. For some people the biggest question raised by this incident will be, “Why would someone do such a thing?” The quick and easy answer revolves around money, but a longer answer has to do with wider factors, like the state of the economy and the prevailing moral climate. I will return to those factors in a moment after we “follow the money” and look at the use of system logs to crack this case.
The result of a 10-month investigation by the FBI and the Florida Department of Financial Services (DFS) are detailed in the criminal complaint U.S.A. v. Munroe. The case against Munroe alleges unauthorized access of protected health information (PHI) belonging to hospital patients. The term PHI comes from the privacy and security provisions of the Health Information Portability and Accountability Act (HIPAA). Accessing protected health data in America without permission is against the law, specifically Title 42, United States Code, sections 1320d-6(a) and 1320d-6(b)(3). If you knowingly violate this law with the intent to profit, as is alleged in this case, you face up to 10 years in prison plus a fine of up to $250,000.
Munroe is charged with seeking “compensation for providing the PHI to another individual who would benefit financially from the PHI.” The other individual, identified simply as S.K., is “known to employ ‘runners' to gather people to participate in staged vehicle accidents for the purpose of having those participants seek treatment at S.K.'s clinics and bill the participants' insurance companies for their treatment.” In street parlance, S.K. is a player in medical and insurance fraud.
Munroe is alleged to have received money for giving S.K. details of accident victims who could be targeted by doctors, lawyers and chiropractors. The complaint cites several cases in which this occurred and indicates that, from the beginning of 2009 through January 2011, Munroe received $7,840 in cash and $1,600 in checks that were deposited into his joint bank account. Furthermore, it seems Munroe's wife, employed at the same hospital, was also involved and received $1,200 in checks that were deposited into the joint bank account.
So how did Munroe get access to this data? He was hired in July of 2006 by Florida Hospital at its Celebration location. Florida Hospital is one of the country's largest nonprofit health care providers with 22 campuses serving communities throughout Florida, and Celebration is the town Disney founded, near Orlando. Munroe's job title was registration representative in the emergency department and his role was to use Florida Hospital's computer system to register patients as they came into the ER, including walk-ins and ambulance cases. Patient records are accessed on this system via a screen called RS23 that shows 10 records at a time. The system can be used to view ER patient lists for other Florida Hospital locations, not just the location at which the screen is being accessed.