Couple pleads guilty to stealing Montefiore patient data in $1M fraud scheme

A former Montefiore Medical Center employee and her partner pleaded guilty to using stolen patient information to commit nearly $1 million in fraud.

What happened

A former business clerk at Montefiore Medical Center in the Bronx and his partner recently pleaded guilty in a scheme that exploited stolen patient information to commit fraud. The duo used personal data, such as Social Security numbers and other identifiable information, to create fraudulent accounts, including debit cards, and attempted to fraudulently obtain up to $1.6 million in pandemic relief funds from the IRS and New York State Department of Labor. The scheme ultimately resulted in nearly $1 million in actual losses. 

Going deeper 

Estrella, who worked at Montefiore for over a decade, admitted to conspiracy to commit wire fraud and bank fraud and wrongful disclosure of individually identifiable health information. An internal systems audit in 2020 uncovered that he had accessed the protected health information (PHI) of at least 4,005 patients, which was later used to support the fraud scheme. His sentencing is scheduled for December 1, 2025, where he faces up to 30 years for fraud and 10 years for wrongful disclosure.

His partner, Marte, pleaded guilty on July 28, 2025, to conspiracy to commit wire fraud and bank fraud and faces a maximum of 30 years imprisonment at her sentencing on November 5, 2025. Together, the couple agreed to forfeit $951,618.20 and are liable for the same amount in restitution.

What was said 

According to the Department of Justice, U.S. Attorney Jay Clayton emphasized the betrayal of public trust, stating, “Wilkins Estrella stole the personal data of thousands of people, including hospital patients, and used this data along with his partner Charlene Marte to claim money that was intended to assist struggling Americans during the pandemic,” and added, “Defrauding federal programs harms all New Yorkers and our Office is committed to stopping it.” Furthermore, FBI Assistant Director in Charge Christopher G. Raia indicated the seriousness of targeting medical data, stating, “Wilkins Estrella and Charlene Marte exploited thousands of patient records to steal almost one million dollars from various government programs,” noting that “these defendants misused sensitive identifying information to perpetuate this illicit scheme and reap unlawful proceeds. The FBI remains committed to pursuing any individual who targets confidential medical information for personal enrichment.”

DOL-OIG Special Agent in Charge Jonathan Mellone noted the breach of unemployment insurance programs: “Wilkins Estrella and Charlene Marte committed numerous frauds against multiple government agencies, including a scheme to defraud the New York State Department of Labor’s unemployment insurance program by misusing the stolen identities of individuals to falsely obtain benefits,” and affirmed, “We will continue to work with our federal and state law enforcement partners to safeguard the integrity of U.S. Department of Labor programs.”

In the know

An insider threat occurs when someone within an organization, such as an employee, contractor, or business partner, misuses their access to sensitive systems or data. These threats may arise from malicious intent, such as financial gain or retaliation, or from negligence, including mishandling of data or falling victim to phishing attacks.

In healthcare, insider threats are particularly dangerous because employees often have direct access to PHI. The temptation to exploit this data for identity theft or fraud can be high, especially in times of financial stress.

Prevention requires a multi-layered approach: organizations can limit access to PHI on a need-to-know basis, regularly audit system activity, train staff on data security responsibilities, and establish clear consequences for violations. Building a culture of accountability and trust is just as vital as deploying strong technical safeguards.

Why it matters 

At least 4,005 patients had their PHI compromised in this scheme, putting their privacy and security at serious risk. The misuse of Social Security numbers and medical records exposes individuals to identity theft and financial fraud and reduces the trust patients place in healthcare institutions to safeguard their most personal data. 

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

How does the Department of Justice get involved in HIPAA cases?

The DOJ prosecutes HIPAA violations that involve criminal activity, such as identity theft, fraud, or the intentional sale of patient data. Civil HIPAA violations are typically enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR).

What role do audits play in preventing data breaches?

Regular audits of access logs, employee activity, and system permissions help organizations detect unauthorized access or unusual patterns before a breach escalates.