ID Theft Incident Leads Breach RoundupEmployee Stole Information on 2,800 Patients
In this week's breach roundup, a former employee at the Palm Beach County Health Department in Florida has been charged with identity theft. Also, security vendor Bit9 reports a breach that caused the issuance of digital certificates that were illegitimately used.
Arrest in Florida ID Theft Case
A former employee at the Palm Beach County Health Department in Florida has been arrested and charged with identity theft.
Salita St. Simon, formerly a senior clerk at the health department, allegedly obtained patient identification information, including names and Social Security numbers, from the health department's computer system and then provided it to others who used it to file fraudulent tax returns, according to the U.S. Attorney's Office for the Southern District of Florida.
St. Simon allegedly stole information on more than 2,800 patients last year, authorities say.
If convicted, St. Simon faces up to five years in prison and three years of supervised release.
Vendor Concedes It Let Its Guard Down
Bit9 says its failure to install its own information security products to detect intrusions on its network has resulted in a breach, causing the issuance of digital certificates that were used illegitimately to sign malware affecting three customers.
President and Chief Executive Patrick Morley, in a Bit9 blog post, characterizes the failure as an "operational oversight," adding that its products were not compromised. "We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," he says.
Bit9 says it had notified affected customers - Morley didn't identify them - and has reached out to all of its customers to ensure them they are no longer vulnerable to malware associated with the affected certificate.
Insider Incident Leads to Class Action
In a class action lawsuit filed in New York, 12 plaintiffs who were treated at North Shore University Hospital claim the hospital was negligent, breached fiduciary duty and violated several laws, including HIPAA, when a former hospital worker stole patient record face sheets - the top sheets on patients' paper files - and subsequently used personal information to allegedly open fake credit card and cell phone accounts. The incidents occurred in 2010.
The plaintiffs are suing for $50 million in punitive damages and an unspecified amount for actual damages, according to news reports.
North Shore-LIJ Health System, which owns North Shore University Hospital, says more than 100 patients were affected by the 2010 ID theft incident.
The health system sent letters to about 200 patients in late 2011 and early 2012 notifying them that their personal information may have been compromised and offering free credit monitoring for a year, says Terrance Lynam, a spokesman for North Shore-LIJ. So far, about half of those patients have reported fraudulent credit card activity, he adds.