Katina Candrick, 34, of LaGrange, Texas, was sentenced Oct. 13 in federal court to 10 years for conspiracy to commit identity theft and five years in prison for unlawful possession of fraudulent identification documents, according to a news release from the U.S. Attorney's Office for the Western District of Texas. Her sentences will run consecutively.
In addition to her prison term, Candrick was ordered to pay more than $163,000 in restitution.
From July 6 to Nov. 13, 2009, Candrick was employed as a patient account representative at MedAssets, a Richardson, Texas-based health care billing company, prosecutors said. While working there, she illegally obtained the personal information of more than 1,200 individuals from billing accounts she handled.
Many of the individuals whose information she stole were patients at the University of Texas Medical Branch at Galveston, according to reports.
Candrick was arrested on Dec. 14, 2009. At the time of her arrest, she was living under the name of a person whose identity she had stolen, prosecutors said. She also used the stolen personal identification information of others to pay for living expenses, vehicles and other items. She pleaded guilty to the charges in late April.
The case illustrates several key information security trends, including the increase of insider threats, Joe Gottlieb, CEO of security intelligence solutions provider SenSage, told SCMagazineUS.com in an email Tuesday.
Cybercrimes involving insiders often are committed by employees who have access to sensitive data, and their company fails to perform any monitoring, he said. The case also is an example of the slow, steady increase in successful cybercrime prosecutions.
“The 15-year sentence is substantial and thus helps establish the deterrent of real punishment that has generally been missing in the cybercrime world,” Gottlieb said.
Those who commit medical identity theft are generally motivated by the potential to make money for themselves and others, he added.
“The health care industry is a complicated mess and that makes it easier for criminals to exploit it more easily,” he said. “Improvements in law enforcement and the more specific compliance requirements from HITECH [Health Information Technology for Economic and Clinical Health Act] should begin to mitigate these issues, but it will take time.”
Medical identity theft has been on the upswing for the past few years, in part because of the wealth of personal information available in medical records, experts have said. Thieves can use this information to obtain medical treatment or prescription drugs that they otherwise would not have had access to.
Medical records include not only names and addresses, but also employer and financial account information, which makes it profitable, according to experts. Also, within the health care sector, patient information is often shared with other doctors, insurance companies and other health care facilities.
According to a Ponemon Institute study released in early March, nearly 1.5 million Americans have suffered from medical identity theft. It is estimated the cost associated with medical identity theft totals $29 billion, or approximately $20,000 per victim.