An Alabama woman accused of stealing the personal information of about 4,500 surgery patients at a Birmingham hospital is facing criminal charges for violating the HIPAA privacy rule.

Chelsea Catherine Stewart was arrested June 2 and charged in U.S. District Court this week under section 1320d-6 of the HIPAA privacy rule, which concerns "wrongful disclosure of individually identifiable health information," according to published reports.

During a fraud investigation of the 26-year-old Alabaster, Ala., woman, federal authorities and local police found hundreds of pages of paper surgery schedules containing the names, birth dates and Social Security numbers of Trinity Medical Center patients, dating as far back as 2006, reports the Birmingham News. Law enforcement documents indicate that Ms. Stewart took the hospital records while visiting a patient between March 22 and April 1.

In addition to the records, police also found a list of actions Ms. Stewart allegedly planned to take with the information she'd obtained. "Get hospital records together and run credit reports on people to get info," one note reportedly said. Just days before the documents were found at her home in April, Ms. Stewart had been arrested on charges of credit-card fraud and breaking into a vehicle.

The hospital has notified all affected patients by mail and is offering them free credit monitoring for a year, although hospital officials say they don't believe the patients' stolen information has been used. "To help safeguard against any further incidents, we are increasing our document security and changing access to our registration areas," Trinity Medical Center spokeswoman Leisha Harris said in a statement e-mailed to reporters.

If Ms. Stewart is convicted, she could face up to 10 years in prison and $250,000 in fines.

Irene Tsikitas