Presbyterian Hospital admissions rep allegedly steals patient information
Technorati Tag: Security Breach
Date Reported:
4/12/08
Organization:
Presbyterian Hospital/Weill Cornell Medical Center
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
Over 50,000
Types of Data:
"names, phone numbers and social security numbers of male patients between 58 and 78 years old"
Breach Description:
"A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients."
Reference URL:
The Cornell Daily Sun
New York Post
United Press International
Report Credit:
United Press International
Response:
From the online sources cited above:
A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients.
[Evan] According to this statement, he has already pleaded guilty.
After the hospital was made aware of the theft in January, it was confirmed in an internal investigation hospital spokeswoman Myrna Manners said.
"We obviously deeply regret that this has happened," she told the Times.
Dwight McPherson, the man arrested in connection with the crimes, was said to have been selling information since 2006, when he was approached with a request for the names, phone numbers and social security numbers of male patients between 58 and 78 years old.
[Evan] He was approached rather than the other way around? This is interesting if it is true. It means that identity thieves (or those that trade in such information) are actively seeking out employees of organizations for sensitive personal information. This is an angle that I never really thought of, though in hindsight I should have.
McPherson's alleged scam was uncovered when postal inspectors in Atlanta executing a search warrant on an identity-theft operation there discovered 221 documents that had come from New York-Presbyterian Hospital.
Dwight McPherson, a 38-year-old patient-admissions representative from Brooklyn, admitted he began to access the files and sell information in early 2006
the information was used for identity theft
McPherson was released on Saturday under the condition that he not leave the state
McPherson was released on $500,000 bail
[Evan] Whoa! Does this mean that he had to come up with $50,000 to post bail? I think you have to come up with 10% yourself. $50,000 is a lot of money for a "patient-admissions representative" to have lying around.
His lawyer, Bob Walters, defended his client, saying, "He is a hardworking, honest man,"
[Evan] Uh, but he pleaded guilty to taking the easy way and committing fraud, right?
After looking through computer logs, they realized McPherson's user login had been used to improperly access the files of 49,841 patients.
McPherson most recently sold 1,000 records near the end of last year for about $750 and more records a bit later for $600.
Those whose identities have been stolen will receive a letter detailing what happened, and have access to a hotline with credit-monitoring services.
Commentary:
Of the 300 breaches reported thus far on The Breach Blog, this is the first one that I recall in which an outsider approached an employee for personal information. I have read about breaches where the employee approached and sold information to an intermediary or outsider (i.e. Fidelity/Certegy and William Sullivan), but not the other way around. This is interesting.
Mr. McPherson appears to have used his legitimate user account to access records in a manner for which he was not authorized. This activity can be difficult to detect without specialized controls. People that do bad things end up costing us all in the long run.
Past Breaches:
Unknown
Date Reported:4/12/08
Organization:
Presbyterian Hospital/Weill Cornell Medical Center
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
Over 50,000
Types of Data:
"names, phone numbers and social security numbers of male patients between 58 and 78 years old"
Breach Description:
"A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients."
Reference URL:
The Cornell Daily Sun
New York Post
United Press International
Report Credit:
United Press International
Response:
From the online sources cited above:
A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients.
[Evan] According to this statement, he has already pleaded guilty.
After the hospital was made aware of the theft in January, it was confirmed in an internal investigation hospital spokeswoman Myrna Manners said.
"We obviously deeply regret that this has happened," she told the Times.
Dwight McPherson, the man arrested in connection with the crimes, was said to have been selling information since 2006, when he was approached with a request for the names, phone numbers and social security numbers of male patients between 58 and 78 years old.
[Evan] He was approached rather than the other way around? This is interesting if it is true. It means that identity thieves (or those that trade in such information) are actively seeking out employees of organizations for sensitive personal information. This is an angle that I never really thought of, though in hindsight I should have.
McPherson's alleged scam was uncovered when postal inspectors in Atlanta executing a search warrant on an identity-theft operation there discovered 221 documents that had come from New York-Presbyterian Hospital.
Dwight McPherson, a 38-year-old patient-admissions representative from Brooklyn, admitted he began to access the files and sell information in early 2006
the information was used for identity theft
McPherson was released on Saturday under the condition that he not leave the state
McPherson was released on $500,000 bail
[Evan] Whoa! Does this mean that he had to come up with $50,000 to post bail? I think you have to come up with 10% yourself. $50,000 is a lot of money for a "patient-admissions representative" to have lying around.
His lawyer, Bob Walters, defended his client, saying, "He is a hardworking, honest man,"
[Evan] Uh, but he pleaded guilty to taking the easy way and committing fraud, right?
After looking through computer logs, they realized McPherson's user login had been used to improperly access the files of 49,841 patients.
McPherson most recently sold 1,000 records near the end of last year for about $750 and more records a bit later for $600.
Those whose identities have been stolen will receive a letter detailing what happened, and have access to a hotline with credit-monitoring services.
Commentary:
Of the 300 breaches reported thus far on The Breach Blog, this is the first one that I recall in which an outsider approached an employee for personal information. I have read about breaches where the employee approached and sold information to an intermediary or outsider (i.e. Fidelity/Certegy and William Sullivan), but not the other way around. This is interesting.
Mr. McPherson appears to have used his legitimate user account to access records in a manner for which he was not authorized. This activity can be difficult to detect without specialized controls. People that do bad things end up costing us all in the long run.
Past Breaches:
Unknown
Posted by Evan Francen at 4/14/2008 3:57 PM 
Categories: Weill Cornell Medical Center, Employee Fraud, Presbyterian Hospital
Categories: Weill Cornell Medical Center, Employee Fraud, Presbyterian Hospital
Posts Atom 1.0
This sort of thing is happening more and more where a hub/spoke criminal system is used with 1 main person waiting in a house to download someone's camera phone who takes pictures of people's information. People are actually sending "mules" into a company to grab customer information and take it back. We had an issue like this and now we do our own background checks, no one with any felonies is allowed to work at our company. Client information is too critical.
Reply to this