[ISN] Identity breach affects hospital

From: InfoSec News (alerts@private)
Date: Fri Mar 28 2008 - 00:28:48 PST


http://www.whittierdailynews.com/news/ci_8710866

By Airan Scruby
Staff Writer
Whitter Daily News
03/26/2008 

WHITTIER - About 5,000 past and current employees at Presbyterian 
Intercommunity Hospital had their private information stolen, officials 
said Wednesday.

The data included Social Security numbers, birth dates, full names and 
other records stored on a desktop computer that was stolen from a 
Fullerton data management group on Feb. 11.

In addition to the 5,000 employees, another 35,000 identities from 18 
other companies were stored on the computer, officials said.

According to hospital Human Resources Vice President Lon Orey, the 
employees will be given a one-year subscription to LifeLock, a group 
which tracks the user's information and guards it from illegal use.

"We take the treatment of employee information very seriously," Orey 
said, "and we will continue to do everything we can to protect them."

A letter informing employees that their information was in jeopardy was 
dated March13, more than a month after the breach.

Spokeswoman Terri Starkman said the hospital would not comment about the 
lapse between the theft and notification.

"I really don't have any further information other than that," Starkman 
said.

Police arrested Todd Irvine of La Habra on March 7 after they tracked 
the stolen computer to his house through an IP address. They found other 
stolen computers and equipment, according to Fullerton police.

Sgt. Mike MacDonald said it was unlikely that the identities stored in 
the computer were the target of the thief. The suspect probably just 
wanted the electronics, he said.

Irvine, 43, was arraigned and remains in custody, MacDonald said.

Those affected either work or have worked for Presbyterian 
Intercommunity Hospital and received health benefits through that 
employer, Orey said.

Among those groups are the Los Angeles Department of Water and the 
Modesto City School District, police said.

According to Orey, the sensitive information was given to Systematic 
Automation, Inc., so that the company could relay information to health 
insurance providers on behalf of employees. Orey said the hospital did 
not ask for permission to give the information to Systematic Automation.

"It's just an automatic kind of thing," Orey said.

A Systematic Automation representative said the company immediately 
notified its partners that were affected and were working with police. 
The representative declined to give his name.

In an official statement, the hospital said that it "like any large 
company, relies on the services of outside experts to perform various 
functions on its behalf."

Orey said the incident has prompted a closer look at employee security.

Many affected by the breach have requested coverage through LifeLock to 
last more than one year, and Orey said the hospital is considering 
extending the benefits. He said the hospital may even give coverage to 
all of its current 3,000 employees, just to be safe.

"There is a high probability," he said, "we're going to make this an 
ongoing program for employees."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Mar 28 2008 - 00:35:19 PST