TBO.com, The Tampa Tribune and The Tampa Times - breaking news and weather
Monday, Jul 28, 2014
Medical news

Loose data aids identity thieves

By
Published:   |   Updated: May 5, 2013 at 08:12 AM
TAMPA -

As they struggle to get control of the identity theft tax refund fraud epidemic in the Tampa area, law enforcement officials say people's private information is at risk at businesses, medical facilities and government offices across the state.

The people stealing identities agree.

Russell B. Simmons Jr. is serving 15 years for tax fraud. He said it was too easy to get other people's information, which he used to steal hundreds of thousands of dollars from federal taxpayers.

“You're giving people too much information,” Simmons said in a recent jailhouse interview. “If you work in a doctor's office or at a nursing home, don't let a person's information be so easy to access for sale to other individuals.”

Identity information is the fuel that is powering the tax refund fraud that has allowed thieves to steal hundreds of millions of dollars from federal taxpayers in the Tampa area and billions of dollars nationwide. Law enforcement officials say they routinely find suspects with other people's medical and financial records.

Tampa is not unique. Since 2009, federal law has required facilities with health care information to report breaches of protected health information affecting 500 or more individuals.

Since the law went into effect, there have been at least 571 reported breaches affecting more than 21 million patients.

A national survey released in December found 94 percent of hospitals had suffered data breaches in the preceding two years.

“Unfortunately, there's more breaches occurring more frequently and they're getting larger in the number of records that are being affected,” said Rick Kam, president and cofounder of ID Experts, which sponsored the survey.

Hillsborough County Sheriff's Cpl. Bruce Crumpler said security measures taken by many businesses, medical establishments and government offices locally are clearly inadequate and personal identity information is too available to people who are up to no good.

“We just need there to be something in place, some policy, some procedure, some software in place to safeguard people's information,” he said. “The people who touch it all need to have responsibility for safeguarding that information. And I don't think it's being done.”

Tampa Police Sgt. Pat Kennedy said personal identifiers are “too accessible to too many employees,” leading to “a lot of breaches.”

Lax security for this information, Kennedy said, is “pretty prevalent, unfortunately, and obviously, the larger the facility, the more personal information that's available.”

Calls to several federal, state and local agencies turned up no actions taken against any business or medical facility in the Tampa area for a tax-fraud related breach of personal identifying information.

Consumer law attorney Janet Varnell said Attorney General Pam Bondi should be making examples of businesses that fail to protect personal information. “I do think the responsibility is on her,” Varnell said, “and she sure as hell isn't doing very much about it.”

A Bondi spokeswoman said the attorney general is working diligently within existing law to ensure consumer personal information is kept private.

The spokeswoman, Jenn Meale, said Bondi is working in this area with the National Association of Attorneys General Privacy Working Group, federal, state and local agencies and the Federal Trade Commission.

“As we continue to work on this issue, we will review whether we can enhance our office's ability to enforce companies' data breach notification requirements under law,” she said in a statement.

Kam said medical facilities don't understand the value of their patients' information. “The people who are the bad actors know if they want this data, they can go to health care facilities,” he said. “It's literally hanging off the walls of doctors offices unprotected in many cases.”

Christopher Pittman, president of the Hillsborough County Medical Association, said local doctors are well aware of the need to protect patient information and do everything they can to make it secure.

Pittman said if people are stealing the information, they should be prosecuted and sent to jail.

“I don't think it's being kept any differently here in Tampa Bay than it is in the rest of the country,” Pittman said. “I don't think we're a wild west with Social Security numbers here unlike anywhere else in the country… This kind of breach can occur anywhere.”

Simmons, the fraud convict, said one way he got personal information was by photographing a doctor's office patient sign-in sheet that contained names, dates of birth and Social Security numbers. Rick Taveras, special agent supervisor with the Florida Department of Law Enforcement in Tampa, said agents have heard this from other suspects, as well.

“That would certainly be a violation of patient confidentiality and that practice should not exist,” Pittman said.

Taveras said thieves have found various opportunities to steal records. “We've heard about people doing dumpster diving,” he said, retrieving records discarded in garbage containers. Sometimes they hack into electronic databases and sometimes employees entrusted with information steal the data.

“I think companies should look at their databases and I think it would be a good practice for them to make sure that only people that need to know the information would have access to it,” he said.

“When I talk to small-
and medium-sized-business owners, they always answer that it's overwhelming to figure this out,” said Sam Imandoust, a legal analyst at the ID Theft Resource Center in San Diego. The business owners say it's expensive and time-consuming to take all the necessary steps to protect personal information.

Imandoust said he tries to convey that “the cost of a data breach far outweighs any of the preemptive cost and time to protect the data. The majority of small- and medium-sized businesses go out of business a year after a data breach.”

Authorities say there is a patchwork of rules governing personal information security found in various state and federal laws, with the Health Insurance Portability and Accountability Act, for example, governing medical records, and various banking regulations dictating the handling of financial information.

Varnell, who also is chair of the consumer protection law committee of the Florida Bar, gave a list of 14 federal laws and regulations governing information privacy, including the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, the Department of Health and Human Services Breach Notification Rule and the Children's Online Privacy Protection Act of 1998.

Varnell said private lawsuits are the main way negligent businesses are sanctioned. But many identity theft victims — virtually all of those interviewed by The Tampa Tribune during the past two years — have no idea and no way to prove where the thieves got their information.

Varnell said enforcing the security of personal information is “99 percent dependent on litigants bringing cases because it's such a rare circumstance that companies take steps on their own typically fast enough to deal with the problem because they don't want to admit liability for the data breach.”

The United States has what's called a sectoral approach to protecting personal information, Imandoust said. In other words, different rules have been created by federal and state governments for different sectors of information, with differences for financial and medical records, that vary from state to state. The benefit of this model, Imandoust said, is it allows rules to be customized for the various sectors.

The European Union, on the other hand, has a comprehensive system regulating information privacy, Imandoust said, with certain categories established for particularly sensitive information.

Local authorities said they have numerous examples of personal information being stolen from local businesses and medical offices, including arresting suspected drug dealers who had medical records from the Veterans Administration and finding medical records from Tampa Bay Endoscopy Center during a traffic stop.

An employee for a company that sold ADT home security systems was charged two years ago for stealing customer information for tax fraud, and deputies last year charged an employee for ProVest, which offers fraud detection services, with selling customer information.

Florida Highway Patrol troopers found documents from Optimum HealthCare Inc. linked to tax refund fraud during a traffic stop in 2011.

So how vulnerable should people feel about the identifying information that businesses, doctors and governments have collected on them?

“I think it's hard to say how exactly safe or not safe your information is, but what I would say is everyone should be on the watch out for it because no one is safe,” Imandoust said. “It's better to be on guard and expect it (to be stolen) at some point than to expect businesses to protect your information.”


esilvestrini@tampatrib.com

(813) 259-7837

Twitter:@ElaineTBO

Comments