Parents, patients notified of potential identity theft incident

[Erica Absetz <erica () riskbasedsecurity com>]

http://news.ufl.edu/2013/05/29/potential-identity-theft-2/

GAINESVILLE, Fla. -- An employee working at a University of Florida
medical practice who had ties to an identity theft ring may have
compromised patient personal and health information.

UF is notifying 5,682 patients and parents of patients at the UF
Pediatric Primary Care Clinic at Tower Square, now known as UF Health
Pediatrics -- Tower Square, that they should take appropriate measures
to protect themselves from identity theft. UF is offering fraud
resolution services for those who suspect or confirm identity theft
associated with this incident; the fraud service offer is good for one
year.

"We deeply regret what happened and share the frustration associated
with this situation," said Susan Blair, chief privacy officer for the
University of Florida. "Protecting patient information is a top
priority for us, and we are committed to finding new ways to identify
and help prevent employee misconduct."

The Office of the State Attorney, the Internal Revenue Service and the
U.S. Secret Service are continuing to investigate a statewide identity
theft ring. The university learned of the alleged incident from state
and federal law enforcement officials on April 11. The employee may
have used pediatric patient records to steal personal information
including names, addresses, dates of birth and Social Security
numbers. The employee was terminated, and law enforcement is taking
action against the individual.

After notification from the Secret Service, UF cooperated with law
enforcement and conducted a separate investigation about the use of
patient records. This review determined that some patient records were
accessed inappropriately. But because the employee also was assigned
to access records as part of their job responsibilities, it was not
possible to determine whether the information was misused.

"We wanted people to be aware of the situation, so that they will have
the opportunity to take additional precautions," Blair said.

The letters sent to parents and patients include information about the
incident, steps they can take to protect themselves, information about
identity monitoring services and steps recommended by the U.S. Federal
Trade Commission about checking credit reports.

To further help prevent misuse of information, those affected may wish
to contact the three major credit agencies and notify them that
personal information was inappropriately accessed and misused.

For questions, visit http://privacy.ufl.edu/ or call 877-552-1299.
This call center is open from 7 a.m. to 7 p.m. EDT, Monday through
Friday, and 10 a.m. to 4 p.m. EDT on Saturdays, until June 15.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.