Former surgery center employee found guilty of computer crime

A woman who was fired from a Wichita surgery center was found guilty of computer crime for a mass transfer of e-mails with information about 317 patients.

After a six-day trial in Sedgwick County court, a jury found April Galvan, 54, guilty Monday on all seven counts of computer fraud.

On the morning she was fired from Cypress Surgery Center, 9300 E. 29th St. North, Galvan sent the e-mails to a Gmail account.

“We’re not here as any kind of witch hunt, picking on poor April Galvan or trying to make her life harder than it is,” said Robert Short, chief attorney of the economic crimes unit for the Sedgwick County District Attorney’s Office. “We are here because she made a decision that day and the responsibility for that decision.”

By 11:30 a.m. on June 12, 2013, Galvan had been fired. In expectation of that action, prosecutors said, Galvan sent approximately 140 e-mails from her work computer to her personal Gmail account between 7:06 and 10:04 a.m. that day. Others were sent in the days leading up to June 12, a total of 168 e-mails with personal information for 317 patients.

The e-mails included sensitive health information for 198 patients. Seven e-mails in particular had attachments that had confidential patient information. Those seven e-mails were at the heart of the case against Galvan.

Rocky Wiechman, a criminal defense attorney for Galvan, argued that Galvan didn’t deliberately send those seven e-mails as she rapidly forwarded e-mails the morning she was fired.

Short said she well knew she lacked authority over the e-mails and patient information.

“If you get mad when you get fired, you can’t bust up the equipment, you can’t steal a generator from the warehouse, you can’t take money out of the register, you can’t bust out the window on the way out,” Short said to the jury. “All those things would be considered a crime. So what makes April Galvan think she can go in and data mine all this information and put it in her personal e-mail?”

Cypress Surgery Center discovered the mass e-mail transfer in an audit shortly after Galvan’s termination.

Galvan testified that she worked from home periodically during her tenure at Cypress Surgery Center and to do so, she sent e-mails to her personal e-mail account that sometimes included confidential patient information.

But closer to her termination, Galvan said, she had an inkling she might be fired. Fearing legal backlash from Cypress about an incident that involved fraudulent insurance billing, she said, she forwarded the e-mails from her work account to her personal account to protect herself.

“That was no longer about taking work home and 60-hour workweeks and being a dedicated employee,” Short said to Galvan during cross-examination.

Instead, Short said, she took those e-mails for a personal reason – to protect herself.

“By the 11th, now you had started saying, ‘OK, I see the train coming, I’m going to start taking these e-mails and start shipping them to my Gmail account,’ is that right?” Short asked Galvan.

She responded, “Yes.”

Higher level of secrecy

Cypress Surgery Center houses facilities for at least 10 medical specialties, including infertility treatment.

David Grainger, a reproductive endocrinologist at Cypress Surgery Center, said 198 of the patients who had sensitive information released were men and women who were involved in in vitro fertilization. He said even though all medical records are sensitive, these in vitro fertilization records rise to another level.

“So much of the information people are seeking from us, they don’t even share with their families; forget about friends,” Grainger said. “It’s a very emotionally sensitive area of medicine. I would say one of the most sensitive.”

For men, Grainger said, it is an issue of masculinity. And women, he said, become “terribly critical of their bodies when they’re not performing like they should.”

During his testimony, Grainger looked at the jury and said, citing statistics, that “probably three of the people in the jury have experienced infertility personally, and everyone probably knows someone whose experienced infertility, because it’s that common.”

The procedures often go against the doctrine of some patients’ churches, he said, adding that the breach of that information “could be traumatic to them.”

Grainger said that in the wake of Galvan’s firing, the surgery center sent a letter to the 317 patients affected by the e-mail release.

The arguments

Galvan’s justification for the e-mail transfer fell largely under two points. The first, she said, was that she had permission to send e-mails, even with patient information, to her personal account in order to work from home.

The second was that because she had to sign off on that work and because her name was attached to it, she needed to take that information to prove its validity.

Galvan said she knowingly forwarded those e-mails rather than downloading them on a hard drive or printing them in an effort to be transparent.

“In her mind, she believed in good faith that she had that authorization,” said Wiechman, Galvan’s attorney. “And she didn’t do it sneakily, she didn’t do it under cover of darkness, she did it openly.”

He emphasized that only 4.2 percent of the total emails sent contained patient health information. Wiechman also used excerpts from the employee handbook to support his case about Galvan’s authorization to access the patient information.

But Short, the prosecutor, said that’s irrational reliance on an employee handbook.

“Of course it’s not in here,” he said. “There’s not a subsection titled ‘What to do the day you get fired and what you can’t do on that day.’ How would Symbion be able to guess that she’s going to go in and grab that information and then put a rule in here saying you can’t do that?”

He said the kind of handbook Wiechman is referring to “would be 800 volumes, and it still wouldn’t cover everything.”

Avery Elofsson, assistant district attorney, used the analogy of taking physical property from Cypress.

“I bet you the doctor’s office wishes it had been the cash box,” he said. “The money you can replace. The personal, private information – that’s gone, and they don’t know what happened to it.”

This story was originally published July 20, 2015 at 10:17 PM with the headline "Former surgery center employee found guilty of computer crime."