Illinois Eye Center warns patients of identity theft
Technorati Tag: Security Breach
Date Reported:
3/28/08
Organization:
Illinois Eye Center
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
Unknown
Types of Data:
Names, Social Security numbers and dates of birth
Breach Description:
"A former Illinois Eye Center employee could have used confidential patient information for identity theft."
Reference URL:
Peoria Journal Star
WEEK NBC News
Report Credit:
Tom McIntyre, WEEK NBC News
Response:
From the online sources cited above:
Peoria's Illinois Eye Center has warned its clients that a former employee allegedly accessed confidential patient records.
A former Illinois Eye Center employee could have used confidential patient information for identity theft.
[Evan] Employee fraud is one of the most challenging risks to protect against.
According to a letter the eye center sent last week to affected patients, the records obtained include patient names, Social Security numbers and birthdates.
It is believed females between ages 18 and 25 were targeted.
The Peoria County Sheriff's Department was alerted about the possible identity theft in January and has received seven or eight reports total, Lt. Mark Greskoviak said.
The female suspect, whose name has not been released, worked as a receptionist at the center from June to November 2007 and police believe she now lives outside Illinois.
[Evan] Segregation of duties is just as important in a small company (or office) as it is in a large company. Should a receptionist have access to Social Security numbers?
the former employee has not been charged, Greskoviak said the department hopes to make an arrest in the near future.
Like most cases of identity theft, the confidential information was not used until long after it was obtained.
[Evan] Bingo! So how effective is 12 months of credit monitoring, which is the 'standard' offering by organizations to victims?
Commentary:
This receptionist probably had 'legitimate' access rights to confidential patient information, so what is a company to do beyond employee background checks? First, closely evaluate the information that people are granted access to. Limit access to information that is absolutely necessary to perform job functions. In this case, I would ask if a receptionist really needs access to Social Security numbers. The receptionist probably doubles as an accounts receivable/payable clerk, so he/she would need occasional access to such information. The key word is 'occasional'. When this person needs access to Social Security numbers (presumably for credit checks, billing, etc.), this access should be logged and audited regularly. The more an individual feels as though they are being watched, the less likely they are to commit fraud (generally).
The report mentions that females between the ages of 18 - 25 were targeted by the fraudster. This implies that the perpetrator was a female between the ages of 18 - 25. Brilliant, eh?
Past Breaches:
Unknown
Date Reported:3/28/08
Organization:
Illinois Eye Center
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
Unknown
Types of Data:
Names, Social Security numbers and dates of birth
Breach Description:
"A former Illinois Eye Center employee could have used confidential patient information for identity theft."
Reference URL:
Peoria Journal Star
WEEK NBC News
Report Credit:
Tom McIntyre, WEEK NBC News
Response:
From the online sources cited above:
Peoria's Illinois Eye Center has warned its clients that a former employee allegedly accessed confidential patient records.
A former Illinois Eye Center employee could have used confidential patient information for identity theft.
[Evan] Employee fraud is one of the most challenging risks to protect against.
According to a letter the eye center sent last week to affected patients, the records obtained include patient names, Social Security numbers and birthdates.
It is believed females between ages 18 and 25 were targeted.
The Peoria County Sheriff's Department was alerted about the possible identity theft in January and has received seven or eight reports total, Lt. Mark Greskoviak said.
The female suspect, whose name has not been released, worked as a receptionist at the center from June to November 2007 and police believe she now lives outside Illinois.
[Evan] Segregation of duties is just as important in a small company (or office) as it is in a large company. Should a receptionist have access to Social Security numbers?
the former employee has not been charged, Greskoviak said the department hopes to make an arrest in the near future.
Like most cases of identity theft, the confidential information was not used until long after it was obtained.
[Evan] Bingo! So how effective is 12 months of credit monitoring, which is the 'standard' offering by organizations to victims?
Commentary:
This receptionist probably had 'legitimate' access rights to confidential patient information, so what is a company to do beyond employee background checks? First, closely evaluate the information that people are granted access to. Limit access to information that is absolutely necessary to perform job functions. In this case, I would ask if a receptionist really needs access to Social Security numbers. The receptionist probably doubles as an accounts receivable/payable clerk, so he/she would need occasional access to such information. The key word is 'occasional'. When this person needs access to Social Security numbers (presumably for credit checks, billing, etc.), this access should be logged and audited regularly. The more an individual feels as though they are being watched, the less likely they are to commit fraud (generally).
The report mentions that females between the ages of 18 - 25 were targeted by the fraudster. This implies that the perpetrator was a female between the ages of 18 - 25. Brilliant, eh?
Past Breaches:
Unknown
Posts Atom 1.0
Comments