Woman gets prison over Irving teachers ID theft

DALLAS — A Bedford woman apologized as she was sentenced to 34 years in prison in an identity theft scam targeting educators in Irving.

Sharon Denise Seeley pleaded guilty and was sentenced to 30 years for fraudulent use or possession of identifying information. She was sentenced to two years on each of two counts of credit card abuse.

The 40-year-old woman will serve the sentences concurrently.

About a dozen victims were in court Thursday. Several testified about how ID theft had destroyed their credit ratings and left their lives in turmoil.

Thieves were blamed for getting the data of more than 3,000 Irving teachers and other district employees from an old benefits report. Seeley, who was arrested in 2009 at a mall, says the information she used came from a binder thrown in a trash bin.

(see original article here)

Business Associates Can Pay Directly For Breaches

Business associates can be directly liable for a breach of unsecure protected health information (PHI) and could have to pay OCR directly, a top OCR official told HealthLeaders Media at the 18th Annual National HIPAA Summit Wednesday afternoon.

HealthLeaders Media asked Sue McAndrew, deputy director for Health Information Privacy for OCR, if a business associate could end up paying out of its own pocket for a breach.

The answer is yes.

“Business associates going forward will be directly liable for violations that occur in their possession,” McAndrew said. “The fines would be imposed upon the BA, and if they can’t pay, we send them to jail.”

McAndrew laughed at the line about “jail,” and said it was in jest.

However, she went on to say OCR would consider waiving—or decreasing—some of the penalties after an assessment of the financial state of a violating hospital. She also said that the “settlement door is always open.”

On Wednesday, McAndrews also released breach numbers for the month of January:

• As of January 2010, there have been 35 reports of breaches affecting 500-plus individuals, resulting in 712,000 notices.
• Most of the reports were ePHI contained in lost or stolen unencrypted media or portable device.
• There were more than 300 reports of smaller breaches.
• Most of the paper records were sent to wrong fax numbers, wrong addresses, and wrong individuals.

(see original article here)

Social Security numbers found lying in street

Sensitive documents mysteriously appear in Des Plaines, putting identities at risk

The W-2 form of Jeffrey Simmons of Santa Rosa, California, lies on the ground on the 1000 block of East Touhy in Des Plaines, Ill., on January 28, 2010. The W-2 came from MEDHQ, LLC in Westchester, Ill. Hundreds of documents including W-2 forms, financial and retirements statements, credit card accounts statements, and among others were found blowing in the wind.

When Elida Cruz worked in the banking industry, she assured clients that their personal information would remain confidential.

So, imagine her horror when she learned that much of her own information, including her Social Security number, birth date, phone number and job history, had become astonishingly public, floating down a Des Plaines street in a cloud of half-shredded paperwork.

Hundreds of sensitive, intact documents — including W-2 forms, investment account balances and job applications — were inexplicably swirling around Touhy Avenue and Eastview Drive on Thursday afternoon. After being tipped to the airborne paper trail, the Tribune contacted some of the people and companies listed on the documents.

None of them knew how the papers could have ended up in the street.

“I am pretty much disgusted with this,” said Cruz, 47, of Chicago, who was notified that at least 17 documents with her Social Security number (the apparent remnants of an old job application) had been retrieved. “All of that is sensitive information. You would think your stuff is secure.”

Privacy experts say the loss of confidential paperwork illustrates that even in an electronic age, stray documents remain a danger.

“It’s a lot more frequent than people would suspect,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego. “Most of the time it’s just not discovered.”

His group, which pushes for tighter privacy laws, tracks breaches of sensitive information. Though computer hackers are behind most such data loss, careless document disposal still causes problems. Since 2006, the clearinghouse has noted 33 cases of legal, medical and financial paperwork discovered in trash bins.

Losing track of sensitive documents can have serious consequences.

Washington, D.C., attorney Christopher Wolf, founder of the Future of Privacy Forum and a partner at Hogan and Hartson, said state and federal laws on data security have gotten tougher in recent years. Companies that lose records often must announce it publicly, he said — a public relations nightmare.

“These laws certainly have spurred compliance, and every major corporation now understands they have a data security obligation,” he said. “Companies know they can’t put sensitive records on the curbside or throw them in the Dumpster. It’s not to say that never happens, but it’s rarer.”

Many companies contract with vendors to destroy their paperwork. That is the case with MedHQ, a Westchester firm that provides business services to healthcare providers. Some of its employees’ 2009 W-2 forms were found in Des Plaines.

Tom Jacobs, MedHQ president, said he called his shredding company (he declined to name it), but no one there claimed responsibility.

“I don’t know how it could have happened,” he said. “It is really upsetting to know there might be some documents out there that are loose like that. We are down near Oak Brook and don’t have any customers in that area.”

David Collins, owner of Lindy Manufacturing, a metal stamping company in Downers Grove, said his business does all of its shredding in-house. He also had no clue how employees’ 401(k) statements from several years ago could have escaped.

“It disturbs me a lot,” he said. “You just have to trust that these people (with access to sensitive papers) will do the right thing.”

Robert Johnson, executive director of the Phoenix-based National Association for Information Destruction, said a good shredding company maintains an unbroken chain of custody over its documents, with a screened employee taking them from locked container to locked vehicle to secured shredder.

He guessed that a recycling company or waste hauler might have been the source of the Des Plaines paperwork.

“It would explain why materials from disparate sources would have ended up in one place,” he said.

Des Plaines police said Friday they had no reports about the paper trove.

The National Insurance Crime Bureau, whose Touhy Avenue headquarters are close to where the documents were discovered, had its employees collect as many as they could and plans to return them to the people named in the papers.

“If we see who belongs to the stuff, we will get it back to them,” spokesman Frank Scafidi said. “It’s definitely not ours.”

Freelance reporter Krystyna Slivinski contributed to this report.
(see original article here)

Medical files found in trash

PORT ST. LUCIE, FL — Police on turned up medical files in a trash bin near University Medical Clinics that contained information that could be used to commit identity theft, a police spokesman said Wednesday.

Police determined the files, which contained information including patient names, Social Security numbers, phone numbers and addresses, had been discarded from University Medical Clinics in the 1800 block of Southeast Port St. Lucie Boulevard, said Officer Tom Nichols, police spokesman.

A man identified by Nichols as a high ranking official with the company indicated an employee had thrown the files way.

“A garbage bag full of medical records is not an oversight,” Nichols said.

Dr. Samuel Sadow, CEO of University Medical Clinics, said Wednesday he didn’t think any patient information had been compromised.

“We’re very concerned about it and we’re doing our own internal investigation,” Sadow said.

Nichols said the records were returned to the office.

Nichols said the files initially were found by a woman acting on an anonymous tip that they’d been discarded. That woman then notified police of her discovery.

(Read original article here)

BIG DAY FOR HIPAA/HITECH PROVISIONS

While many of the changes to HIPAA contained in the HITECH amendment, such as increased fines, Attorney’s General enforcement, and Health Data Breach notification came into effect already, February 18th, the law’s one year anniversary, marks a number of significant HIPAA/HITECH milestones.

Here is a sample of some that could affect the secure destruction service provider . . .

1. Application of rules to, and accountability for, Business Associates.  (No longer are BAs solely tied to HIPAA by the BA contract with the Covered Entity, but now, in some respects, operate essentially with all the requirements applied to Covered Entities.)
2. Requirement for HHS to begin conducting mandatory audits.
3. Clarification regarding which entities are required to be business associates. (Both HHS and the FTC have already identified secure destruction services as BAs in earlier guidance publications.  It would difficult to see this changing)
4. HHS and FTC study on privacy and security requirements for PHR vendors and applications (PHR vendors are a new type of Covered Entity under FTC jurisdiction who maintain or process health-related data as a result of offering Internet based services.)
5. First annual guidance on the most effective and appropriate technical safeguards for health information. (This could go either way.  When HHS issued guidance on security measures to avoid data breach, they inadvertently caused many Covered Entities to apply the wrong particle size specification.  If guidance is promulgated in this new document with a similar type of reference, it will  make life a bit more complicated for secure destruction services)
6. HHS to implement a health information privacy educational initiative
7. Clarification regarding the ability to impose criminal penalties against individuals

Shredding Service Fort Lauderdale

MicroShred

Secure Mobile On-Site / Off-Site Document Shredding Company – Fort Lauderdale, Florida

PRIVATE INFO FOUND IN COUNTY DUMPSTER

Daytona Beach News-Journal – Bunnell, Florida

The Flagler County Building Department recently came under scrutiny when records containing social security numbers and other sensitive information landed in the dumpster, rather than in a shredder. Every 15 years the County purges its files, and this time clerks improperly disposed of sensitive files. While employees were verbally reprimanded, many local citizens are demanding further action be taken to protect their information.

CONTACT MICROSHRED TODAY TO SHRED ALL OF YOUR SENSITIVE DOCUMENTS

MARYLAND BANK DUMPS IDENTITIES INTO TRASH

ABC2 News – Rodgers Forge, Maryland

ABC2 News investigators recently discovered that an M&T Bank branch in Rodgers Forge, Maryland improperly disposed of documents that should have been shredded. These documents included social security numbers, driver’s license numbers, bank accounts, and other sensitive information that should not have wound up in the dumpster. When contacted by the media M&T stated that the discovery was a clear violation of corporate policy, and pledged to conduct an extensive internal investigation…

Full Story

MOUNTAIN OF JOB APPLICATIONS FOUND IN PALM SPRINGS DUMPSTER

Palm Beach Post – Palm Beach, California

October 7, 2009- Hundreds of job applications and copies of other personal information were found in a Dumpster behind a Palm Springs plaza Wednesday. The documents, including copies of Social Security cards and driver’s licenses, belonged to staffing agency CLP, which has since launched an internal investigation. Police documented the incident and are monitoring the area for cases of identity theft that may be related to the discarded applications…

Full Story

ARLINGTON TRASH BIN YEILDS SENSITIVE DOCUMENTS

WFAA TV – Dallas, Texas

Sales documents, belonging to K. Hovnanian Homes, were discovered in an Arlington dumpster by a local citizen. When contacted, the local District Attorney stated that while not a crime the dumping was reckless and could have led to a disaster. The homebuilder claims that they contract destructions services to an outside vendor, and is trying to figure out how the documents ended up in the dumpster…

Full Story