Security News > 2008 > March > Identity breach affects hospital
http://www.whittierdailynews.com/news/ci_8710866 By Airan Scruby Staff Writer Whitter Daily News 03/26/2008 WHITTIER - About 5,000 past and current employees at Presbyterian Intercommunity Hospital had their private information stolen, officials said Wednesday. The data included Social Security numbers, birth dates, full names and other records stored on a desktop computer that was stolen from a Fullerton data management group on Feb. 11. In addition to the 5,000 employees, another 35,000 identities from 18 other companies were stored on the computer, officials said. According to hospital Human Resources Vice President Lon Orey, the employees will be given a one-year subscription to LifeLock, a group which tracks the user's information and guards it from illegal use. "We take the treatment of employee information very seriously," Orey said, "and we will continue to do everything we can to protect them." A letter informing employees that their information was in jeopardy was dated March13, more than a month after the breach. Spokeswoman Terri Starkman said the hospital would not comment about the lapse between the theft and notification. "I really don't have any further information other than that," Starkman said. Police arrested Todd Irvine of La Habra on March 7 after they tracked the stolen computer to his house through an IP address. They found other stolen computers and equipment, according to Fullerton police. Sgt. Mike MacDonald said it was unlikely that the identities stored in the computer were the target of the thief. The suspect probably just wanted the electronics, he said. Irvine, 43, was arraigned and remains in custody, MacDonald said. Those affected either work or have worked for Presbyterian Intercommunity Hospital and received health benefits through that employer, Orey said. Among those groups are the Los Angeles Department of Water and the Modesto City School District, police said. According to Orey, the sensitive information was given to Systematic Automation, Inc., so that the company could relay information to health insurance providers on behalf of employees. Orey said the hospital did not ask for permission to give the information to Systematic Automation. "It's just an automatic kind of thing," Orey said. A Systematic Automation representative said the company immediately notified its partners that were affected and were working with police. The representative declined to give his name. In an official statement, the hospital said that it "like any large company, relies on the services of outside experts to perform various functions on its behalf." Orey said the incident has prompted a closer look at employee security. Many affected by the breach have requested coverage through LifeLock to last more than one year, and Orey said the hospital is considering extending the benefits. He said the hospital may even give coverage to all of its current 3,000 employees, just to be safe. "There is a high probability," he said, "we're going to make this an ongoing program for employees." ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn