TAMPA — An employee at Amerigroup, a national managed medical care company, is accused of stealing client information for use in filing fraudulent tax returns.
Another woman who worked at an unidentified Tampa area car loan company recently pleaded guilty to stealing personal information from hundreds of customers. The information was used to file 526 fraudulent tax returns claiming more than $5 million in bogus refunds.
And a medical support assistant at James A. Haley Veterans Administration Hospital was sentenced Thursday to six years in prison for stealing personal information of hundreds of wounded veterans being treated at the hospital. He sold the records for crack cocaine to people who used them in tax refund fraud and to open fraudulent credit accounts in the names of the veterans, some of whom were fighting for their lives.
New examples continue to emerge in the Tampa area of criminals getting personal information entrusted to businesses and government institutions at the same time the nation faces the fallout of massive data breaches affecting millions of consumers at retailers like Target and Neiman Marcus.
The breaches aren’t limited to private businesses.
Early in the Tampa area tax refund fraud outbreak, officials say, a website for an area sheriff’s office was used by identity thieves because it contained Social Security numbers and dates of birth for inmates. Once notified of the issue, the sheriff’s office, which officials won’t name, fixed the problem.
More recently, an employee at Quest Diagnostics, a national chain of medical labs, was arrested last month after the Hillsborough County Sheriff’s Office and the FBI searched her home and found pieces of paper with names, Social Security numbers and dates of birth of about a dozen patients. She was charged under the state’s new beefed-up identity theft law while detectives continue their investigation into whether that information was used in fraud.
As law enforcement officials say they are making progress in controlling the wave of stolen identity tax refund fraud that washed over Tampa area streets in the last few years, personal identity information remains vulnerable to thieves.
While authorities say Tampa is no longer one of the top cities in the country for tax refund fraud, the Tampa/St. Petersburg area ranked No. 19 among metropolitan areas nationwide for identity theft, according to a report in February by the Federal Trade Commission. According to the report, there were nearly 500 reports of identity theft for every 100,000 people in the area.
Florida is the highest-ranked state both for reported per capita fraud and identity theft, the FTC found. The top-ranked area nationwide was Homosassa Springs.
Law enforcement officials say cutting the availability of personal identifying information would go a long way toward solving the tax refund fraud problem, as well as curtailing other kinds of identity theft-related fraud.
“Getting the (personal identifying information) locked down is huge,” said Tampa Police Sgt. Pat Kennedy. Imposing severe penalties on companies that fail to secure the information “would be a huge help in the fight.”
Rick Taveras, special agent supervisor for the Florida Department of Law Enforcement Tampa Bay region, said compromised personal information “continues to be an issue.”
“We are doing some things on our end to try to change that,” Taveras said. He said the agency met in the last year with medical and financial professionals about the importance of protecting information for their patients’ and clients.
FDLE Assistant Special Agent in Charge Troy Walker said the alliance of federal, state and local law enforcement agencies formed to fight tax refund fraud has also launched a “huge marketing campaign” alerting businesses and the public about the importance of protecting personal information. “There has been an impact because we are not where we were a year ago or two years ago,” Walker said. “There’s constant education.”
“We have to give an even higher priority to the large-scale theft of the personal identifying information,” said U.S. Attorney Lee Bentley. “If we stop that, the large-scale theft, we’ll cut the problem down significantly.”
Bentley said in a statement that his office “has successfully prosecuted individuals who have stolen personal identifying information from hospitals, government agencies, banks, and other institutions. Unfortunately, however, we cannot prosecute ourselves out of what is a growing problem. All businesses that collect and maintain such information need to erect adequate safeguards to protect it from identity thieves.
Bentley said companies that are reckless or negligent in how they keep personal data could face lawsuits by consumers. “In addition, our office will explore and consider all available legal remedies, where appropriate, to assist those adversely affected by corporate breaches.”
There are efforts both in Tallahassee and Washington, D.C., to increase accountability on the part of businesses and government agencies entrusted with personal information.
Last week, Attorney General Eric Holder called on Congress to enact legislation requiring businesses to promptly notify law enforcement and consumers of significant data breaches. “These crimes are becoming all too common,” Holder said in a video statement. “It is time for leaders in Washington to provide the tools that we need to do even more by requiring businesses to notify American consumers and law enforcement in the wake of significant data breaches.”
Sen. Patrick Leahy, D-Vt., has introduced for the fifth year in a row the national Personal Data Privacy and Security Act, which would create a national standard for businesses, requiring them to take steps to protect private data.
Chairing part of a Judiciary Committee hearing on the legislation last month, Sen. Al Franken, D-Minn., said, “Right now, there’s no federal law setting out clear security standards that merchants and data brokers need to meet. And there’s no federal law requiring companies to tell their customers when their data has been stolen.” Franken said Leahy’s bill would fix that.
A bill being pushed on the state level by Florida Attorney General Pam Bondi would also require Florida companies to take reasonable measures to protect personal data. “Consumers should not have to live in fear that a data breach at a business or governmental entity can cause complete chaos in their lives and lead to fraud and identity theft,” Bondi said in a statement.
The proposal doesn’t specifically define “reasonable measures,” and Bondi’s spokesman, Whitney Ray, said the office will evaluate steps businesses take “on a case-by-case basis depending on the type and amount of data that is being stored, the type and size of the business, and the cost of available tools to improve security and reduce vulnerabilities.”
Violations would be treated as an unfair or deceptive act or practice under the law and lead to fines of up to $10,000.
The proposed legislation would also require businesses to notify the Attorney General’s Office and people affected by breaches within 30 days unless law enforcement requests a delay for investigation purposes. Current state law requires companies to notify affected individuals within 45 days. Businesses that fail to provide timely notifications would face fines of up to $500,000.
The House Civil Justice Subcommittee voted to approve the bill last month, with a dissent from Rep. James Waldman, D-Coconut Creek, who generally supported the idea but said he was worried small businesses might not be able to comply because they won’t know what’s needed. He also said any fines levied against businesses should go to identity theft victims and not the Attorney General’s Office.