One bad apple.  That is all it takes to ruin the whole bushel.  In the case of companies, the same thing can be said about one employee.  At the Legacy Clinic Mount Hood in Portland, Oregon, it was recently discovered that a employee was stealing sensitive information from patients and using the information to profit from their misfortune.  Despite this breach having just been discovered, the clinic has said that it no longer employees the individual and has not for some time.  No name has been given of the individual, but officials for the clinic say that they person is being investigated by law enforcement agencies and that they are closing in on the necessary information to arrest and prosecute them.

The breach took place between January 2006 and February 2007.  It appears that when people went to make their co-pays, the individual would pocket any cash given to them, but also steal social security numbers and credit card numbers.  They were then to get dates of birth and addresses out of the computer system.  With over $13,000 in cash missing over the years, the clinic has been slow to explain why the breach took so long before it was discovered.  An investigation into the incident is underway by both the local authorities and the federal government.  The government agents are checking to see whether or not there were any violations in HIPAA.

The clinic has sent out letters to all the affected individuals.  In all the current total is around 750, although this number might increase as the investigation continues.  A call center has been set up to deal with all the calls that have been coming in with questions about the investigation and what affected people should do.  The clinic has said that they will provide up to $25,000 in identity theft insurance and will also provide credit monitoring services.  These types of services include the ID theft subscription company Lifelock.  By signing up with Lifelock, someone knows that they will have monitoring of all three major credit bureaus.  Whenever a new loan or credit card application is filed, they contact their customer to make sure that they are the person really submitting the information.  If they are not, then the application is scrapped and the identity thief does not win.

Those patients who made the co-pay that was pocketed or had extra money taken from their credit card account have already been repaid.  No word yet on why it took so long for the breach to be reported to the public.  Security officials are also wondering what measures that Legacy Clinic Mount Hood is going to take so that this type of easy access is not given to employees in the future.  This is part of the ongoing debate about digitizing more and more of the medical information about patients that come into medical facilities.  Safeguards need to be put into place so that the system is not manipulated from either the inside or the outside.

Tags: Legacy Clinic Mount Hood, lifelock

This entry was posted on Tuesday, August 26th, 2008 at 12:24 pm and is filed under Corporate Breaches, Individuals. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.