I want to talk a moment about compliance. While largely a voluntary concept, compliance is supposed to provide detailed guidelines that can be scaled to fit most any organization. And for entities that adopt those guidelines, provide the protections the program is attempting to define. These measures also usually define consequences for non-compliant organizations in the event of litigation. Now, it can be the decision of a business as to whether to be compliant or not, and to risk the consequences of non-compliance. When it comes to identity theft we have been experiencing a growth pattern that is not only mirroring the rise in data gathering across the board but also the global downturn in the economic climate. Remember, as long as the data has value it will be stolen, sold, and used. As I reported recently, more than half of all data breaches occur in businesses, and result in an unknown number of identity thefts. We do know however, that there are nearly 10 million victims of identity theft each year, and a significant number of them cannot be traced to any specific source. Especially since a lot of the cases are not discovered until months or even years after the fact, or are the result of "multiple identity theft" where the victim is affected by more then one type of identity theft at a time. This figure of 10 million is predicted to rise by a factor of 20 within the next 12 to 18 months. Also, keep in mind that businesses and their executives are held completely responsible for these breaches.
The cost to government and business is astronomical. In 2007 OMB and FTC estimates show at least $48 billion in lost business revenue, fines, investigative costs, law suits, etc. As a result states are looking to control their costs as police departments, and county and state attorneys' offices are inundated with identity theft complaints that add a large burden on their offices. This brings me to the point of this column. We have had guidelines now for several years, and now certain compliance regulations that clearly show the steps every business, non-profit, school system, and local municipality should follow to reduce breaches and identity theft episodes. These guidelines are defined in the 1999 Gramm Leach Bliley Act or GLB, the 2003 and 2005 provisions of the FACT Act, and again by way of the Red Flags rules of 2008.
Massachusetts has now stepped in and announced that these very guidelines are law of the Commonwealth. Any organization that does business in Massachusetts or has any client that resides in Massachusetts must adhere to the regulations that go into effect May 1st of 2009. This not only applies to the business in question but also includes mandatory oversight of the data security practices of all business that are 3rd party service providers and contractors. Massachusetts has gone so far as to announce that if any other state enacts more stringent regulations than these they will adopt the more stringent terms. Surely other states will follow, it is simply a matter of when. A unifying federal regulation is on the horizon. With the inauguration of the first U.S. President who is expected to appoint a Chief Information Security Officer a federal regulation will come from Congress sooner than later, perhaps as soon as this year.
And it will probably come from Senator Diane Feinstein, the incoming Chair of the Senate Select Intelligence Committee. Sen. Feinstein has long been an advocate of personal privacy oversight, and identity theft law. Below is a great article on the new Mass. legislation.
Massachusetts Gets Tough on Data SecurityJan 15, 2009
By Maria Bruno-BritzBank Systems & Technology
As if banks didn't have enough on their plates with compliance and regulation on the federal front, come May 1, they will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security.
The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope. During a teleconference, attorneys from the privacy and data security practice of the law firm Goodwin Procter (Boston) described this very detailed, all-encompassing set of rules designed to keep consumers' personal data safe. They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information. "Personal information," for the purposes of the regulation, is described as someones first and last name or first initial and last name, in combination with Social Security Number, driver's license number or financial account number.
At its core, the regulation states that companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled.
The rules also extend to entities' service providers and the degree to which they too must show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules.
According to partner Deborah Birnbach, this is some of the most intrusive legislation as it relates to the operation of businesses. "It requires changes in your physical access, changes in your relationships with your vendors, changes to your training programs, and changes in the type of information stored and how you store it," Birnbach explained to attendees. "This is not business as usual as it relates to the personal information of Massachusetts residents."
Under the rules, companies have a duty to monitor their security programs on an ongoing basis. The size and type of company will be taken into account by lawmakers, however. Partner David Goldstone said businesses are required to develop, implement, maintain and monitor a "comprehensive" written information security program. "They expect the information security program to be a living and breathing information security program," he said.
The safeguards in the program must be administrative, technical and physical in nature. Entities will be required to identify all records used to store personal information. Although companies won't be expected to keep an inventory of this data per se, they are expected to know where it is, Goldstone noted. One of the suggestions to facilitate this process is to create an information flow map that shows where information is stored and transmitted.
Businesses must also identify and assess both internal and external risks to the organization. Once these steps are completed, they must then evaluate (and improve, if necessary) the safeguards in place around such areas as employee training and physical security.
In addition to all this, companies will be obligated to limit the collection and use of personal information. They must identify the purposes for which they collect this kind of information and identify how long the wish to keep it and who can access it.
Another big component of the regulation is around the protection of data in transit and data on portable devices, like laptops, Blackberrys and thumb drives. Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home.
Properly educating and handling employees will also be key to compliance. The rules state, for example, that companies must be vigilant when dealing with terminated employees so that their access to data is "immediately" denied.
"Massachusetts may be the first with such detailed regulations, but it is not likely to be the last," predicted Lynne Barr, a partner with the firm.
Saturday, January 17, 2009
Thursday, January 8, 2009
Small and medium sized business will spend more on security in '09
In light of my post yesterday regarding the focus a business places on different components of an identity theft and privacy plan I was heartened to read this today.
A Forrester Research report finds that small and medium-sized businesses will spend more on security in 2009, and will zero in on data protection, reports SearchCIO. Forrester surveyed the business and IT leaders of 1,206 SMBs--businesses with fewer than 1,000 employees--and 942 enterprise companies, finding that the number one priority for both groups in the year ahead will be the protection of data assets.
The report goes on to say..
Nearly 20% of the respondents plan to pilot or adopt a host intrusion prevention system (HIPS), file-level encryption, full disk/desktop encryption, endpoint control and data leak prevention in the next 12 months. The moves will almost double the use of these security technologies at SMBs.
For me though this was the most puzzling part of this piece...
One area that isn't on the security radar for many SMBs -- but probably should be -- is access rights and the larger issue of identity management. Data assets must be protected against insiders, too, said Jonathan Penn, author of Forrester Research's security report.
"There are people who are authorized users who may inappropriately use information to the detriment of the company, or there are unauthorized users who in previous roles may have needed access to information but no longer do. Those kinds of processes in SMBs tend to be pretty poorly implemented," Penn said.
Part of the reason for this security shortcoming is that the technology for automating these processes can be expensive. But the bigger issue for SMBs is the process-intensive nature of keeping up with the rights employees should and shouldn't have.
"If it was a matter of just getting a tool to streamline onboarding, they could do that if they saw the cost benefit of that. But SMBs have tended to shy away from how they manage people's rights throughout the lifecycle of employment," Penn said. Coordinating among IT, business departments and human resources to sort out the employee rights and keeping the policies up to date is tough, and not easily outsourced.
A high caliber Identity Theft Risk trainer can partner with the HR management to get all of the employees through a comprehensive awareness training in 1 hour or less in group settings. Once that is done a schedule of update sessions will keep the company current with the changing legislation on an as needed basis. The FACTA Red flags legislation calls for staff training of the company identity theft policy as a compliance piece. This comes under the heading of company policy and needs to be part of not only the onboarding of new hires but also for existing staff.
That really is the essence of good ongoing education for employees. Not only does the company get the advantage of expert trainers to keep everyone current in protecting the company's data assets but also having a better prepared staff who will act in a more proactive manner both on the job and with their personal identity. A significant area of concern when an individual is experiencing an identity theft episode is being distracted on the job, taking time off, and being under extra stress at work.
In any case it seems business is moving (somewhat) in the right direction.
A Forrester Research report finds that small and medium-sized businesses will spend more on security in 2009, and will zero in on data protection, reports SearchCIO. Forrester surveyed the business and IT leaders of 1,206 SMBs--businesses with fewer than 1,000 employees--and 942 enterprise companies, finding that the number one priority for both groups in the year ahead will be the protection of data assets.
The report goes on to say..
Nearly 20% of the respondents plan to pilot or adopt a host intrusion prevention system (HIPS), file-level encryption, full disk/desktop encryption, endpoint control and data leak prevention in the next 12 months. The moves will almost double the use of these security technologies at SMBs.
For me though this was the most puzzling part of this piece...
One area that isn't on the security radar for many SMBs -- but probably should be -- is access rights and the larger issue of identity management. Data assets must be protected against insiders, too, said Jonathan Penn, author of Forrester Research's security report.
"There are people who are authorized users who may inappropriately use information to the detriment of the company, or there are unauthorized users who in previous roles may have needed access to information but no longer do. Those kinds of processes in SMBs tend to be pretty poorly implemented," Penn said.
Part of the reason for this security shortcoming is that the technology for automating these processes can be expensive. But the bigger issue for SMBs is the process-intensive nature of keeping up with the rights employees should and shouldn't have.
"If it was a matter of just getting a tool to streamline onboarding, they could do that if they saw the cost benefit of that. But SMBs have tended to shy away from how they manage people's rights throughout the lifecycle of employment," Penn said. Coordinating among IT, business departments and human resources to sort out the employee rights and keeping the policies up to date is tough, and not easily outsourced.
A high caliber Identity Theft Risk trainer can partner with the HR management to get all of the employees through a comprehensive awareness training in 1 hour or less in group settings. Once that is done a schedule of update sessions will keep the company current with the changing legislation on an as needed basis. The FACTA Red flags legislation calls for staff training of the company identity theft policy as a compliance piece. This comes under the heading of company policy and needs to be part of not only the onboarding of new hires but also for existing staff.
That really is the essence of good ongoing education for employees. Not only does the company get the advantage of expert trainers to keep everyone current in protecting the company's data assets but also having a better prepared staff who will act in a more proactive manner both on the job and with their personal identity. A significant area of concern when an individual is experiencing an identity theft episode is being distracted on the job, taking time off, and being under extra stress at work.
In any case it seems business is moving (somewhat) in the right direction.
Tuesday, January 6, 2009
2008 Breach Numbers Nearly Double
The number of data breaches reported in 2008 was nearly double that of 2007, reports the Washington Post. The Identity Theft Resource Center (ITRC) will announce the 2008 tally today, revealing that 656 breaches were reported last year, with the majority occurring in businesses and schools (57 percent, combined). Human error continues to be the cause of most breaches, while hacking and malware contributed to about 14 percent of those reported. The number of breaches stemming from employee data theft also doubled. "As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent," said Linda Foley, ITRC co-founder.
Given the reality of this report what would motivate a company to concentrate its efforts on company server and internet security? Mis-information.It has long been known that the vast majority of breaches are not the result of hacking or "cyber crime" of any kind. As this report has found it's almost always either an inside job or gross error in judgement. This is what makes employee awareness training an absolute necessity in an information security program. If a business doesn't tell the entire staff how to handle personal information how are they going to expect them to do the right thing? Certified identity theft risk management experts who have studied the many forms of identity theft and methods of prevention should always conduct the training.
We have established that most all data breaches occur at business and public databases, and are the fuel for the illicit worldwide trade in identities. The profits from the sale of identity data have surpassed the entire international illicit drug trade. As I mentioned in my previous column it is very difficult to trace any given episode of identity theft to a single source as the data is sold many times and divided up along the way splitting one persons' information in many directions. As this occurs the information is used for a myriad of purposes. This is where it gets very sticky. While this misuse is going on different public and private databases are corrupted with false entries and may take years to surface. A person my not discover until years later that an event has taken place that has altered their Social Security records, medical records, insurance records, employment records, and so on. Often by then it is nearly impossible to correct these false records.Since we are literally judged by the entries in these databases wouldn't it be clever if they were accurate?
As long as data has value it will be stolen, sold, and misused. Until we can remove the value of the information itself we need to concentrate on prevention programs of businesses and public records keepers. A simple program of policy training and awareness of the nature of the crimes can go a long way to stem the tide of identity theft. This is not necessarily a difficult or expensive process. Often it can be done at little or no direct cost to the business other than the training time, which frankly is purely an investment. And if insurance companies are listening, should lower the rates of proactive clients just as their risk is lowered.
Given the reality of this report what would motivate a company to concentrate its efforts on company server and internet security? Mis-information.It has long been known that the vast majority of breaches are not the result of hacking or "cyber crime" of any kind. As this report has found it's almost always either an inside job or gross error in judgement. This is what makes employee awareness training an absolute necessity in an information security program. If a business doesn't tell the entire staff how to handle personal information how are they going to expect them to do the right thing? Certified identity theft risk management experts who have studied the many forms of identity theft and methods of prevention should always conduct the training.
We have established that most all data breaches occur at business and public databases, and are the fuel for the illicit worldwide trade in identities. The profits from the sale of identity data have surpassed the entire international illicit drug trade. As I mentioned in my previous column it is very difficult to trace any given episode of identity theft to a single source as the data is sold many times and divided up along the way splitting one persons' information in many directions. As this occurs the information is used for a myriad of purposes. This is where it gets very sticky. While this misuse is going on different public and private databases are corrupted with false entries and may take years to surface. A person my not discover until years later that an event has taken place that has altered their Social Security records, medical records, insurance records, employment records, and so on. Often by then it is nearly impossible to correct these false records.Since we are literally judged by the entries in these databases wouldn't it be clever if they were accurate?
As long as data has value it will be stolen, sold, and misused. Until we can remove the value of the information itself we need to concentrate on prevention programs of businesses and public records keepers. A simple program of policy training and awareness of the nature of the crimes can go a long way to stem the tide of identity theft. This is not necessarily a difficult or expensive process. Often it can be done at little or no direct cost to the business other than the training time, which frankly is purely an investment. And if insurance companies are listening, should lower the rates of proactive clients just as their risk is lowered.
Monday, January 5, 2009
New Proposals in Iowa
From Today's Iowa Register
"Iowa governments would have greater authority to black out personal information from public records under proposals recommended by a legislative committee.Advocates say the proposals would protect citizens from identity theft.But opponents say the unintended results could be alarming, particularly if the public is unable to differentiate between, for example, a convicted sex offender and another citizen with the same name."The public has more to fear from government records containing information about them of which they are unaware than the release of information pertaining to them," said Bill Monroe, executive director of the Iowa Newspaper Association.
Lawmakers formed the Identity Theft Prevention Study Committee, which met in November, to consider how the release of personal information in Iowa could make residents vulnerable to identity theft. Public concern heightened this year when privacy advocates complained about a land records site, IowaLandRecords.org. The Social Security numbers of thousands of Iowans from all 99 counties were listed on the site, including those of Gov. Chet Culver and Secretary of State Michael Mauro.
Administrators of the site quickly shut down the ability to view details of the records after the advocates pointed out the problem. The group says removing personal information from all the records - called redaction - will cost the state as much as $2.3 million, which includes $500,000 to update its computer programs. Culver said in an interview this week that he agrees steps should be taken to redact personal information from public records that can be used to steal Iowans' identities.
However, he said he was not sure how the state would pay for such efforts. County recorders, for example, have proposed increasing an electronic filing fee from $1 to $3 to pay for the redaction effort.
"I think protecting individuals' identity is important," Culver said. "Once it gets to the level of security risk, we should take steps to limit how far we go in terms of disclosing things like Social Security numbers."
The committee made 11 recommendations, several of which would give governments more power to remove Social Security or bank account numbers.
Sen. Steve Kettering, R-Lake View, a member of the study committee, said there is no simple answer to the problem. Lawmakers must find the appropriate balance between protecting identities and maintaining public records that protect the public through transparent government.
"There isn't an easy solution, and that's the hard part," said Kettering, who noted that detailed records are critical in his profession as president of Farmers State Bank in Lake View.
Open-records advocates generally agree that some sensitive information like credit card numbers should not be released. The problem arises if governments redact information such as dates of birth, addresses or other unique identifiers, said Kathleen Richardson of the Iowa Freedom of Information Council. Richardson said lawmakers need to establish how frequently identity theft occurs through public records. She believes the problem is rare.
"I think there needs to be a demonstrated need of why we need to vacuum public records," Richardson said. "We also have to carefully consider what our definition of personal information is and make sure it's not so broad that it wipes out too much information."
Sen. Steve Warnstadt, D-Sioux City, said the committee has tried to be sensitive to the concerns brought forward by open records advocates when making its recommendations. The recommendations will likely be used to help draft proposals during the 2009 legislative session, which begins Jan. 12.
"The point of this is not to restrict access. The point is to prevent identity theft and personal information from being disclosed from people who don't have a legitimate reason to have that information," said Warnstadt, the committee co-chairman."
"Iowa governments would have greater authority to black out personal information from public records under proposals recommended by a legislative committee.Advocates say the proposals would protect citizens from identity theft.But opponents say the unintended results could be alarming, particularly if the public is unable to differentiate between, for example, a convicted sex offender and another citizen with the same name."The public has more to fear from government records containing information about them of which they are unaware than the release of information pertaining to them," said Bill Monroe, executive director of the Iowa Newspaper Association.
Lawmakers formed the Identity Theft Prevention Study Committee, which met in November, to consider how the release of personal information in Iowa could make residents vulnerable to identity theft. Public concern heightened this year when privacy advocates complained about a land records site, IowaLandRecords.org. The Social Security numbers of thousands of Iowans from all 99 counties were listed on the site, including those of Gov. Chet Culver and Secretary of State Michael Mauro.
Administrators of the site quickly shut down the ability to view details of the records after the advocates pointed out the problem. The group says removing personal information from all the records - called redaction - will cost the state as much as $2.3 million, which includes $500,000 to update its computer programs. Culver said in an interview this week that he agrees steps should be taken to redact personal information from public records that can be used to steal Iowans' identities.
However, he said he was not sure how the state would pay for such efforts. County recorders, for example, have proposed increasing an electronic filing fee from $1 to $3 to pay for the redaction effort.
"I think protecting individuals' identity is important," Culver said. "Once it gets to the level of security risk, we should take steps to limit how far we go in terms of disclosing things like Social Security numbers."
The committee made 11 recommendations, several of which would give governments more power to remove Social Security or bank account numbers.
Sen. Steve Kettering, R-Lake View, a member of the study committee, said there is no simple answer to the problem. Lawmakers must find the appropriate balance between protecting identities and maintaining public records that protect the public through transparent government.
"There isn't an easy solution, and that's the hard part," said Kettering, who noted that detailed records are critical in his profession as president of Farmers State Bank in Lake View.
Open-records advocates generally agree that some sensitive information like credit card numbers should not be released. The problem arises if governments redact information such as dates of birth, addresses or other unique identifiers, said Kathleen Richardson of the Iowa Freedom of Information Council. Richardson said lawmakers need to establish how frequently identity theft occurs through public records. She believes the problem is rare.
"I think there needs to be a demonstrated need of why we need to vacuum public records," Richardson said. "We also have to carefully consider what our definition of personal information is and make sure it's not so broad that it wipes out too much information."
Sen. Steve Warnstadt, D-Sioux City, said the committee has tried to be sensitive to the concerns brought forward by open records advocates when making its recommendations. The recommendations will likely be used to help draft proposals during the 2009 legislative session, which begins Jan. 12.
"The point of this is not to restrict access. The point is to prevent identity theft and personal information from being disclosed from people who don't have a legitimate reason to have that information," said Warnstadt, the committee co-chairman."
Iowa is tackling this issue head on and should be a model for other states to follow. Notice how Kathleen Richardson is addressing the central question by saying that the committee needs to assess the definition of personal information. Once a written policy including that crucial component has been established it becomes relatively easy to put a real plan into motion.
I would also counsel so-called "open records" advocates that while the concept of easy access is attractive, it has one fatal flaw. Data has value. The proponents are not the ones who determine what is valuable data and what is not. That is in the hands of the information black market. As I have said time and again. "As long as the data has value it will be stolen , sold, and used by thieves." As to public record theft incidents there were in excess of 15 million combined records lost or stolen from counties, cities, states, state universities, and school districts across the U.S. in 2008 alone. Those are public records databases. In my links area is a link to dataloss, http://datalossdb.org/ . You can see there how much is lost and stolen on a regular basis. But how much is acceptable? According to FTC and other sources there have been between 8 and 10 million domestic identity theft victims in each of the past three years. Due in part to the sale and resale of stolen information it can be difficult and even impossible to trace identity theft victims to a single incident, which skews statistics. This is particularly true with mass database theft such as with public records.
If the figure of $2.3M to update software and to redact records is correct the investment the state will have made will offset the upfront hard costs of a data breach, the liability of a large or even moderate breach, and any subsequent lawsuits resulting from identity theft. Good Risk Managers will tell you that the potential loss is far greater than the investment in a reasonable program.
Identity theft is on the rise at an alarming rate. As our economy unravels and becomes more fragile every day data sales becomes a very attractive activity with very low risk. As the businesses and local governments cut back on security budgets a lot more opportunities occur to steal information, and a lot more people are desperate to cash in on the market in personal information.
Monday, December 29, 2008
Let's Pretend May 1st is Just Another Day in the Life of a Business.
Now you will never say you didn't know........
Businesses in the U.S. have until May 1st, 2009 to initiate an Identity Theft program.
With the enactment of the 2008 FACTA Red Flags Rule comes a responsibility for all businesses, non-profits, schools and universities, utilities, and local governments to,
- Adopt a written identity theft policy that will address the responsibilities of employees who can have access to personally identifiable information (PII), and including a response plan in the event of PII breaches,
- Provide ongoing awareness training for all affected staff.
It is generally understood that the training of all staff is more effective and serves to further protect the employer from loss. - It also requires an oversight of the security practices of all service providers and 3rd party contractors who might have access to the non-public data you hold on clients, customers, and employees alike.
The Federal Trade Commission extended the original November 1st, 2008 deadline until May 1st to give businesses more time to implement their individual programs. The FTC has oversight of the Fair and Accurate Credit Transactions Act (FACTA). The extension was granted only to non-banking businesses.
Not to be confused with a privacy policy, this legislation requires an Identity Theft specific policy to be implemented and approved by ownership or a Board of Directors as company policy. After the May 1st date breach cases involving non-compliant organizations will result in increased fines, federal audits, and will allow more victims’ lawsuits to go forward. Neither a business’ sector nor its’ size is a factor regarding this legislation.
“Have in place and implement a breach response plan.. Ask every new employee to sign an agreement to follow your company's confidentiality and security standards for handling sensitive data... Create a culture of security by implementing a regular schedule of employee training. Make sure training includes employees at satellite offices, temporary help, and seasonal workers.
Before you outsource any of your business functions – payroll, web hosting, consumer call center operations, data processing or the like- investigate the company’s data security practices and compare their standards to yours.”
From the FTC publication, Protecting Personal Information, a guide for business.
With only 5 months remaining now is the time to get your identity theft program in place. No organization can afford the fallout from litigation, fines, and the loss of business resulting from a breach and subsequent identity theft episodes.
Happy New Year!
Tuesday, December 23, 2008
Former Cedars-Sinai employee held in identity theft, fraud
This was in today's' Los Angeles Times. Can anyone see the very obvious dichotomy in the Cedars Sinai response to the crime?
- Did anyone steal financial information from the hospital?
- Did anyone try to open new credit accounts with the information?
- Why then did the hospital ask the victims to monitor their credit reports?
- Where are insurance claims reported, credit bureaus? No they are reported to MIB group, a consortium of insurance companies, and CLUE, the Comprehensive Loss Underwriting Exchange database owned by ChoicePoint.
It is amazing how little people know about identity theft even now that it has become the number one "white collar" crime in the world. It takes my breath away when I see articles like this. You know when you watch a police drama and they cops are circling the criminal holed up in a building. "You go around back". The Detective says to the uniformed officer. "I'll go in front." They knew to protect both fronts, why don't businesses? What will these victims do while they are watching their credit reports and the thief has sold the medical info to a hundred people looking to file false insurance claims, or get health care they couldn't get otherwise? It is estimated that somewhere between 250,000 and 500,000 Americans are victimized by medical information theft each year.
Read on.....
Man is accused of taking the records of more than 1,000 patients and filing workers' compensation claims through a fictitious lab.
By Alexandra Zavis December 23, 2008 Los Angeles Times
More than 1,000 patients at Cedars-Sinai Medical Center had their personal information taken by a former employee in the hospital's billing department, according to hospital officials who said prosecutors allege that the man used the identities to steal from insurance companies.The hospital's chief financial officer warned affected patients in a letter sent last week that their information had been found during a search of the former employee's home. He urged them to monitor their credit reports and to notify the district attorney's office if they noticed anything unusual.
The allegations against James Allen Wilson, 44, of Los Angeles mark the latest in a series of privacy breaches at area hospitals, where staffers have been caught peeking at the files of celebrities as well as their co-workers and friends.In this case, hospital officials said Allen -- who last worked at Cedars-Sinai in March 2007 -- had legitimate access to the patients' records for billing purposes, but did not have permission to take identifying information home.
So far, investigators have alleged that the scheme netted Wilson at least $69,000, said Jane Robison, a spokeswoman for the Los Angeles County district attorney's office. But she said the investigation is continuing, and the scope and scale of the alleged theft could grow.
Wilson was arrested Nov. 6 by the Los Angeles County Sheriff's Department. He has pleaded not guilty to multiple felony charges, including identity theft, insurance fraud and grand theft. He remains in custody on $895,000 bail and is scheduled to be in court Jan. 22. Attempts to reach his attorney Monday were not successful.Hospitals' increasing reliance on computerized record-keeping has provided new avenues for identity theft and invasions of medical privacy. As recently as May, a Glendale man was convicted of using the names of hundreds of Los Angeles County and city employees to submit fraudulent claims for diagnostic services amounting to more than a quarter-million dollars. Cedars-Sinai officials said they are serious about their responsibility to protect patients' information."In this case, it appears the privacy breach was not the result of someone accessing information they should not have accessed, but instead the privacy breach involved an individual illegally using information that he had legitimate access to as part of his job," Chief Financial Officer Edward Prunchunas wrote in the letter that the hospital provided to The Times.Prunchunas assured the recipients that there was no immediate indication that their personal information had been used for anything other than fraudulent insurance claims. He said hospital officials had no knowledge of any illegal activity until alerted recently by prosecutors.
"We are deeply concerned and troubled about any privacy breach, and expect that you will feel similarly," Prunchunas said. "I would like to personally apologize for the fact that a former employee was apparently involved in this criminal activity." Wilson worked in Cedars-Sinai's workers' compensation accounts department from January 2003 and until March 2007, when he left the hospital for reasons unrelated to the case, Cedars-Sinai spokeswoman Elise Anderson said. She declined to elaborate, citing the hospital's obligation to protect employees' privacy.Because of the ongoing investigation, district attorney's officials refused to discuss details of the case against Wilson, including the affected insurance companies. According to the hospital's letter, prosecutors told the hospital that Wilson set up a fake laboratory company. He allegedly used the names of actual workers' compensation beneficiaries to submit claims for services that were never performed at the fictitious lab, the letter said. The insurers sent payments by check to a post office box that Wilson set up, the letter said.When investigators searched Wilson's home at the time of his arrest, they found the records of legitimate workers' compensation claims belonging to 1,005 patients, Anderson said. By Monday, few of those patients had responded to the hospital's letter. Those who contacted the hospital reported that they had suffered no personal financial losses, Anderson said.When a patient's medical records are compromised, it can hurt more than their wallets, experts warn. Victims of this kind of fraud face a greater risk of injury if doctors make treatment decisions based on incorrect information contained in their records. Many employers also demand access to medical records when making hiring, promotion or benefits decisions, according to the nonprofit Patient Privacy Rights Foundation.The wife of one man who received the letter said they felt doubly victimized, first by the injury on the job and now by the theft of his personal details. She and her husband asked not to be identified because they have both suffered work-related injuries and she is still in the process of seeking compensation for care.
“I never expected it," he said. "This is one of the best hospitals I have been treated at -- the doctors, the nurses, everybody -- and it's very sad that an employee would do something like this."Cedars-Sinai has faced previous problems with breaches of patient confidentiality. Hospital spokesman Richard Elbaum told The Times earlier this year that three or four workers are terminated annually for trying to peak at celebrity patients' records. There are also suspicions that someone at the hospital tipped the celebrity news website TMZ.com to a story on a medication error last year that nearly killed the infant twins of actor Dennis Quaid and his wife, Kimberly, although no one has been charged. Similar problems have surfaced at one of the hospital's major competitors, UCLA Medical Center, where at least 165 staff members have been disciplined for improperly accessing the files of more than 1,000 patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.The allegations in the Wilson case, however, mark a different challenge because he was permitted access to the files as part of his job, Anderson said.Cedars-Sinai officials said that although they continually reevaluate security procedures, they plan to use the latest breach as another opportunity to review the way the hospital monitors the conduct of employees who have access to patients' information. The hospital already uses passwords, security cameras and audits to monitor who has accessed the files, among other methods. Even more security is in place in the case of high-profile patients, including limits on the employees who can view their records and real-time alerts to signal inappropriate access.If someone gets past those hurdles they will see an on-screen warning: "This patient record is restricted. All accesses are logged and audited. Inappropriate accesses are grounds for disciplinary action and/or dismissal."
Friday, December 19, 2008
Ask Yourself
I'll leave you with a question over the weekend. Can you guarantee that when your personal information is stolen and sold on any one of thousands of markets that thieves will be nice enough to only use it to open new credit accounts?
Our lives are literally controlled by two numbers, our Social Security number and our Drivers License number. When those two numbers are used by identity thieves records kept on you in any number of thousands of databases are corrupted. Once corrupted they are nearly impossible to correct, if you can find out which ones need correcting. Public records are then attached to your NCIC and credit reports driving down your FICO score. There goes your chance to get a raise, find a new job, get a loan, rent an apartment, and hundreds of other things that rely on your credit score and a clean record to determine your worthiness.
In the above scenario did anyone attempt to open a new credit account? Ladies and gentlemen, this is Identity Theft. Will a credit monitoring or credit freeze and alert service help you?
Unless something pressing happens in the next week I'm taking a few days off.
Our lives are literally controlled by two numbers, our Social Security number and our Drivers License number. When those two numbers are used by identity thieves records kept on you in any number of thousands of databases are corrupted. Once corrupted they are nearly impossible to correct, if you can find out which ones need correcting. Public records are then attached to your NCIC and credit reports driving down your FICO score. There goes your chance to get a raise, find a new job, get a loan, rent an apartment, and hundreds of other things that rely on your credit score and a clean record to determine your worthiness.
In the above scenario did anyone attempt to open a new credit account? Ladies and gentlemen, this is Identity Theft. Will a credit monitoring or credit freeze and alert service help you?
Unless something pressing happens in the next week I'm taking a few days off.
Subscribe to:
Posts (Atom)
