A handful of people have approached the authorities in the U.S. state of Oregon to say that their personal information, stolen from a Providence Health System employee, has been used illegally. Police are still verifying the claims linked to the theft of data tapes and disks with the personal details of 365,000 people at the end of last year.
At the beginning of February Providence Home Services, a branch of Providence Health Systems, announced that the private data of 365,000 patients had been on computer tapes and disks stolen from an employee's car. The actual incident took place over one month earlier, but there had been no reports of the information being used illegally until a few days after the company publicized the incident.
Shortly after the announcement the authorities started receiving complaints from members of the public claiming they had fallen victim to identity theft. There is as yet no proof that those incidents are connected to the leak from PHS, although a number indirect facts suggest it may be the case.
One person in particular told the police that someone had attempted and failed to make a purchase using their credit card number in New Jersey. The credit card number matched that of a person on the list of victims of the Providence data theft.
And in the latest twist of illegal activity, there are reports of "predators" representing themselves as Providence employees investigating the data theft. The fake employees call patients and ask for personal information, such as social security numbers or bank account information.
Experts have suggested that if an organized criminal group was involved in the theft of the PHS data, then it is highly likely that a company insider was among the criminals. The thieves would have needed to know where and when the sensitive data was at its most vulnerable – in the car of a company employee.
"Where there are no systems of control governing sensitive data, insiders are capable of stealing and selling any information. In this case insiders may well have known that the data would not be encrypted and where exactly the disks and data tape would be: The only way to defend against the actions of insiders is comprehensive control over internal IT security," believes Denis Zenkin, marketing director at InfoWatch.
Source: OregonLive.com
