Long Island radiologist arrested in patient data theft

 - Cuffs

The New York radiologist accused of stealing health information from nearly 100,000 patients last summer has been arrested.

Richard Kessler, MD, who made off with the records while employed by 49-radiologist NRAD Medical Associates on Long Island, is scheduled to be arraigned Jan. 6. He will be charged with three misdemeanors—unauthorized use of a computer, unlawful duplication of computer-related material and petty larceny.

If convicted, the 38-year-old doctor may spend a year in jail, according to a statement from the Nassau County district attorney.

DA Kathleen Rice said that Kessler committed the crimes between January and April, duplicating and possessing the protected personal and health information of 96,998 patients. Search warrant in hand, the Nassau County Police Department confiscated Kessler’s hard drive and found the patient records, along with NRAD patient billing system dates, NRAD corporate credit card information, corporate marketing materials and NRAD IT information.

There is no indication that Kessler used any of the stolen info to “open accounts, make purchases or obtain property in the names of NRAD patients,” the statement noted, adding that NRAD had offered the victimized patients free credit-protection services.

Rice took the occasion to sound the call for stronger laws. “Physicians are regularly entrusted with the health and well-being of their patients, so the abuse of trust in this case is particularly outrageous,” she said. “New York State’s privacy and larceny statutes should be reformed so they can apply to more kinds of personally identifying information.”

Larry Ponemon, PhD, head of the Ponemon Institute, a Michigan-based research firm focused on data privacy and protection, told RadiologyBusiness.com that medical practices’ single best guard against such breaches is training staff in simple workplace vigilance and urging employees to report suspicious behavior.

“You don’t want to create a snitching culture, but we’ve examined some cases where a person inside an organization was going to the file room a lot, asking someone to share their password, all of these unusual behaviors, ” he said. “When coworkers were asked why they didn’t say something, they answered that it wasn’t like someone was stealing money‘It’s just information.’”

Even when coworkers have a strong suspicion that someone may be doing something malicious, he added, they’re often reluctant to do anything about it.

As for motive, Kessler told authorities that he intended to use the information to start a competing medical practice.

While acknowledging the plausibility of this scenario, Ponemon points out that a robust black market exists for health records. Many data thieves prefer health providers over, say, retail banks, he said, because the former are often much easier targets for exploitable data.

“Sometimes they will steal your health insurance, buy very expensive medical products, like scooters, which are a very popular device to buy and then sell on eBay,” Ponemon said. “That’s just one example, but [it illustrates that] the information can be monetized.”

Ponemon adds that his firm’s studies have shown that Millennials and other younger people have evidenced a tendency to view contact lists they create in the workplace as their own private property. “They tend to have the attitude that they own the contact list because they created the document containing it,” he said.  They think it’s only right to take it with them to their next job and use it there. And most people still don’t see this kind of activity as a crime. So it could be that this doctor (Kessler) is not evil or malicious, just dumb.”

Either way, Kessler will get his day in court.

“Identity theft and theft of personal information is one of the greatest economic threats our citizens face,” said Thomas Krumpter, acting police commissioner of Nassau County. “The NCPD takes these crimes very seriously and works collaboratively with the DA’s office to ensure suspects are arrested and prosecuted.”

Meanwhile NRAD must recover not only from the crimes committed against it but also potential backlash from wary patients. Ponemon recalled how his elderly  mother had her insurance fraudulently billed for medical services she never receivedIt was very upsetting to her,” he said. She lost all confidence in her physician and went and found another one.