Lo and behold, there has been another conviction!

So, here are the HIPAA convictions that have been made so far, that I could find, in chronological order:

1.
In August, 2004, a federal prosecutor in Seattle, Washington was the first to prosecute a criminal HIPAA violator, phlebotomist, Richard Gibson, who was an employee of the Seattle Cancer Care Alliance, a treatment center for cancer patients.

2.
In March of 2006 the U.S. Attorney's Office in Houston convicted physician practice employee, Liz Arlene Ramirez, for selling the individually identifiable health information an FBI agent to a drug trafficker and in exchange for $500. The court sentenced Ramirez to serve six months in jail followed by four months of home confinement with a subsequent two-year term of supervised release and a $100 special assessment.

3. & 4.

These criminal convictions included the first HIPAA criminal cases to actually go to trial. In January, 2007, Isis Machado, an employee at the Cleveland Clinic in Weston, Florida, was charged with obtaining computerized patient files, downloading individually identifiable health information of over 1,100 Medicare patients, and then selling the information to her cousin, Fernando Ferrer, Jr., the owner of Advanced Medical Claims in Naples, Florida. Ferrer then used the information to submit approximately $2.8 million in fraudulent Medicare claims. Machado and Ferrer were charged with one count of conspiring to defraud the United States, one count of computer fraud, one count of wrongful disclosure of individually identifiable health information (a HIPAA violation), and five counts of aggravated identity theft.

5. & 6.
Meckenstock and Stevenson, mentioned earlier, used names, social security numbers, and other identifying information obtained from Howell as well as from stolen/discarded mail, internet searches, credit reports, and car burglaries, to produce counterfeit identification documents (IDs). "These counterfeit IDs were used to obtain merchandise and credit from various merchants. Meckenstock and Stevenson were in possession of approximately 150 counterfeit drivers' licenses and 68 counterfeit social security cards. Meckenstock was sentenced to serve 119 months in federal prison. Stevenson was sentenced to serve 168 months in federal prison. Each defendant was ordered to pay $101,896.39 in restitution to their victims." Meckenstock and Stevenson were sentenced to prison terms in 2008.

7.
Leslie A. Howell, who worked at an Oklahoma City counseling center was sentenced to 14 months in prison for violating HIPAA by giving patient files to Ryan Jay Meckenstock and Nicole Lanae Stevenson who used the personally identifiable information (PII) to "to make counterfeit identification papers that helped them obtain merchandise and credit from a number of retailers." Howell was given a 14-month prison term. Meckenstock and Stevenson were sentenced to prison terms in 2008.

8.
Andrea Smith, from Trumann, Arkansas, was sentenced on December 3, 2008, to two years probation and 100 hours of community service for accessing and disclosing a patient's health information for personal gain in the Eastern District of Arkansas.

"While working as a licensed practical nurse at Northeast Arkansas Clinic (NEAC) in Jonesboro, AR, Smith accessed an unidentified patient's medical record on November 28, 2006. Smith then gave the private medical information to her husband, Justin Smith, who called the patient and said he intended to use the information against him or her in "an upcoming legal proceeding," according to an Eastern District of Arkansas US Attorney press release"

From what I can find there still has been only one sanction given for HIPAA noncompliance, which I discussed here.