[ISN] 700,000 Hoosier ID's compromised in computer theft

From: InfoSec News (alerts@private)
Date: Sun Apr 20 2008 - 22:28:02 PDT


http://www.pal-item.com/apps/pbcs.dll/article?AID=/20080419/UPDATES/80419008

By JOHN RUSSELL
THE INDIANAPOLIS STAR 
April 20, 2008

INDIANAPOLIS -- A computer server containing Social Security numbers and 
other personal information of 700,000 people was stolen last month from 
a Southside debt-collection bureau in what appears to be the largest 
computer security breach ever in Indiana.

The information includes customer-billing records for about 100 Indiana 
businesses, including Citizens Gas & Coke Utility, St. Vincent Health 
and Methodist Medical Group.

The exposed data was limited to past-due billing information that had 
been turned over for debt collection to the Central Collection Bureau, 
the agency announced Friday. Customers whose accounts were in good 
standing were not affected.

The bureau collected overdue bills on behalf of dozens of Indiana 
companies, including hospitals, medical and dental offices, window 
companies, water-conditioning companies and flower shops.

"We're obviously heartsick about this," said Chet Klene, the collection 
agency's president. "We've been in business since 1972, and nothing like 
this has ever happened before."

He said the missing computer server contained personal billing 
information that was protected by two passwords but was not encrypted. 
He said the server had been stored behind three locked doors.

Klene said the break-in occurred on Good Friday, March 20. The first 
employee arriving at work that day noticed the break-in and immediately 
called the Indianapolis Metropolitan Police Department, which 
investigated but has not found the server. The collection agency has 
notified companies whose billing records have been compromised, Klene 
said.

Joan Antokol, a lawyer specializing in computer security at Baker & 
Daniels, an Indianapolis-based law firm, said the breach was the largest 
she had seen in Indiana. No larger breaches in Indiana are included 
among the hundreds of incidents listed on Privacy Rights.org, a national 
clearinghouse.

"It's a problem that continues to grow," Antokol said. "There are new 
cases reported all the time. It's a serious problem."

Still, this breach does not rank among the top dozen or so nationally. 
Retailer TJ Maxx reported that as many as 100 million accounts were 
compromised as a result of thefts and hack-ins since last year.

The U.S. Department of Veterans Affairs said information on more than 28 
million veterans might have been exposed after a laptop was stolen from 
an employee's house in 2006. Monster.com, a Web-based job service, said 
information on more than 1 million job seekers had been stolen last 
year, containing names, addresses, phone numbers and e-mail addresses.

A spokesman for Citizens Gas said its missing records were past-due 
billing statements for 51,000 former customers that it was unable to 
find on its own. The information included names, last known addresses, 
Social Security numbers, dates of service and amount due.

Citizens has no way of notifying the former customers because their 
whereabouts are unknown, spokesman Dan Considine said.

"We certainly take this very seriously, any time there is a security 
breach, and we hope it gets cleared up very soon," he said.

St. Vincent Health said it had not given any billing business to Central 
Collection in more than three years, so all of the missing billing 
information is several years old. The stolen information included 
patient billing information for St. Vincent Hospital and affiliated 
physicians' practices, spokesman Johnny Smith said.

"We're committed to protecting confidential information of our patients. 
We regret any inconvenience to them," Smith said.

Billing records of about 62,000 patients of Methodist Medical Group, a 
physicians' group owned by Clarian Health, also were missing, as are the 
records of thousands of patients at Howard Regional Health System in 
Kokomo.

The break-in is being investigated by IMPD and the Indiana attorney 
general's office.


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Sun Apr 20 2008 - 22:40:53 PDT