[ISN] UIC worker charged in security breach

From: InfoSec News (alerts@private)
Date: Thu Mar 29 2007 - 22:37:09 PST


By Ravi Baichwal
March 29, 2007 

A Chicago hospital worker is charged with stealing patient information. 
An emergency medical technician is accused of using his job to access 
the sensitive data of at least eight patients at UIC Medical Center for 
his own use. The EMT has been fired from the hospital.

A criminal investigation is underway as the UIC hospital warns other 
patients about the security breach.

Officials at UIC Medical Center, an award-winning institution in the 
field of computerized patient medical records, tell ABC7 the criminal 
investigation was launched last month. They say they discovered an EMT 
had improperly accessed patient records. That EMT is 28-year-old Leslie 
Langford. He faces several charges including identity theft.

"We do take this very, very seriously and immediately responded as soon 
as we were alerted to the investigation by UIC police," said Sherri 
McGinnis Gonzalez, UIC spokesperson.

UIC says an EMT was fired last month as soon as it came to light that 
eight patient medical records were inappropriately accessed by someone 
with privileged access to those records.

The hospital has sent out letters to over 240 patients saying their 
records may have been similarly breached and they should take steps to 
avoid becoming victims of identity theft.

"The information that the employee had access to was demographic, 
personal medical information, and we believe that person used that 
information in an inappropriate manner," said McGinnis Gonzalez.

Exactly what that is the hospital would not explain, citing the criminal 
investigation, but the hospital stressed this was not a case of a breach 
of the system to the outside world.

"Administrators were able to look at the electronic medical records 
system and actually track what records this employee had access to and 
it actually helped in the investigation," said McGinnis Gonzalez.

But patient information is now out there. And one expert in identity 
theft suggests UIC could be doing a lot more -- such as buying identity 
and credit monitoring services for victims -- as one way to make up for 
the fact that it is nearly impossible to insure those with access to 
information don't succumb to the temptation to sell it.

"There is you know a clear exchange out there, almost like a stock 
exchange in ideates, and the more information you have the more the 
identities are worth, and in fact, if you go out there to the right 
places looking for it, there is almost like a bid-ask situation out 
there where there is a floating set of prices out there, 'I have this 
many names, and this type of information, what can I get for it?' " said 
Garnet Steen, RelyData.com.

"The nightmare scenario isn't just the consumer has some credit cards 
opened up in their name, but somebody obtains medical services in their 
name and that that medical information gets co-mingled with their own," 
said Steen. Leslie Langford is the son of Chicago Fire Department 
Spokesman Larry Langford. Larry Langford told ABC7 this is a private 
family matter and they are working with Leslie concerning this issue.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 29 2007 - 22:50:17 PST