A New York woman was sentenced to probation after mailing stolen health records as part of an extortion attempt.
What happened
Tonya D’Agostino, a 53-year-old woman from Farmington, New York, was sentenced to one year of probation for a criminal HIPAA violation involving the unlawful disclosure of protected health information (PHI). In addition to probation, she has been ordered to pay $13,410.42 in restitution. The sentence comes after D’Agostino pleaded guilty under a plea agreement that allowed her to avoid imprisonment.
Going deeper
On March 23, 2023, D’Agostino mailed a package through USPS Priority Mail to an individual in Medina, New York. The parcel contained sensitive health records for four individuals, information classified under HIPAA as protected health information. Not only was the data obtained without consent, but D’Agostino also lacked the legal authority to share it. The disclosure was part of an extortion attempt involving a payment demand of $216,000.
The Federal Bureau of Investigation investigated the case, which led to D’Agostino’s arrest and eventual guilty plea. She was charged with a violation of Title 42, United States Code Sections 1320d-6(a)(2) and (b)(1), which prohibit the intentional and unauthorized access and disclosure of individually identifiable health information.
Under the law, individuals who knowingly violate HIPAA can face jail time, financial penalties, and mandatory supervision. D’Agostino’s plea agreement exposed her to a potential one-year prison sentence, a fine of up to $50,000, and supervised release. However, the court ultimately issued a non-custodial sentence.
What was said
Chief U.S. District Judge Elizabeth A. Wolford presided over the case and chose not to impose a jail sentence, opting instead for probation and financial restitution. The court also required D’Agostino to pay a $25 special assessment and to serve one year of supervised release. The plea deal acknowledges her criminal responsibility while avoiding incarceration.
The big picture
Tonya D’Agostino’s sentencing shows that exploiting health data for personal use isn’t just unethical, it’s criminal. Her attempt to use stolen patient records in an extortion scheme didn’t land her in prison, but it did place her under federal scrutiny, with lasting legal and financial consequences. The case shows us that HIPAA protections extend beyond the walls of healthcare institutions, and violations for personal gain won’t be taken lightly.
FAQs
Can someone outside the healthcare industry be charged with a HIPAA violation?
Yes. Anyone who knowingly accesses or discloses protected health information (PHI) without authorization can be prosecuted under HIPAA—even if they don't work in healthcare.
What qualifies as a criminal HIPAA violation?
Criminal HIPAA violations typically involve intentional acts like stealing, selling, or using PHI for personal gain, blackmail, or fraud, rather than accidental breaches.
How does the legal system determine sentencing in HIPAA criminal cases?
Sentencing depends on factors like intent, harm caused, cooperation with investigators, and prior offenses. Penalties range from fines to imprisonment or supervised release.
Are criminal HIPAA cases common?
No. Most HIPAA violations result in civil penalties against healthcare entities. Criminal charges are rare and usually reserved for egregious or intentional misconduct.
What does this case signal for individuals handling health data?
It reinforces that mishandling PHI—whether digital or physical—can carry real legal consequences, even for those outside traditional healthcare roles.
Farah Amod
