Patients notified of potential identity theft incident

[Erica Absetz <erica () riskbasedsecurity com>]

http://news.ufl.edu/2013/04/03/potential-identity-theft/

GAINESVILLE, Fla. -- An employee working at a University of Florida
medical clinic who had ties to an identity theft ring may have
compromised patient personal and health information.

UF is notifying 14,339 patients of the UF&Shands Family Medicine at
Main practice that they should take appropriate measures to protect
themselves from identity theft. UF is offering fraud resolution
services for those who suspect or confirm identity theft associated
with this incident; the fraud service offer is good for one year. UF
has been unable to locate current addresses for 450 patients. Anyone
who was a patient between March 2009 and October 2012 and does not
receive a letter should telephone the UF call center listed below to
find out if he or she may be affected.

"We share our patients' frustration regarding this situation and
regret that it happened," said Susan Blair, chief privacy officer for
the University of Florida. "We are committed to serving our patients
and helping them get through any problems that arise stemming from
this incident."

The Office of the State Attorney, the Internal Revenue Service and the
U.S. Secret Service allege a UF employee acquired patient insurance
information, including names, addresses, dates of birth and Social
Security numbers, and may have sold some of the information to a third
party.

The employee has been terminated and may face criminal charges.

The university learned of the alleged incident from state and federal
law enforcement officials on Oct. 25, when an identity theft ring that
targeted several hospitals and health clinics in the state of Florida
was uncovered. Law enforcement prohibited UF from notifying patients
until the criminal investigation was completed.

The letters sent to patients include information about the incident,
steps they can take to protect themselves, information about identity
monitoring services and steps recommended by the U.S. Federal Trade
Commission about checking credit reports. To further help prevent
misuse of information, those affected may wish to contact the three
major credit agencies and notify them that personal information was
inappropriately accessed and misused.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.