From: Sun-Sentinal

By Ed Komenda

With a few key strokes and clicks of a mouse, an employee with the Palm Beach County Health Department accessed everything.

The employee used a computer to view all manner of patient records. Names, prescriptions, social security numbers: nothing new to someone who had walked through the department’s halls for years.

But on Friday, that employee was fired after authorities determined he or she created a list of the names and social security numbers of at least 86 patients before trying to mail the data to use in any number of ID scams.

This disclosure, authorities say, is just another example of a growing trend of illegal data-mining inspired by the criminally lucrative practices of fraud and identity theft.

“Data is king,” said Linda Webb, president, Contego Services Group, LLC, a provider of insurance and risk management services. “Data can be more dangerous than the most powerful drug lords on the streets.”

The Palm Beach County employee, who deputies have not yet identified or arrested, allegedly transcribed the information from digital files stored on a centralized computer system, then packaged the list to mail.

But investigators confiscated the package, according to health department spokesman Tim O’Connor, before it hit the mail truck.

Though the list did not contain medical, bank account, credit card or other personal information, the social security numbers are enough to be used in schemes such as tax return fraud.

Palm Beach County detectives did not disclose when their investigation began but suggested it wasn’t the first time this employee had mailed personal information.

“There were additional names,” O’Connor said. Some of those names, he added, were used in ID thefts or frauds, but the number of additional patients and nature of the alleged crimes against them is unknown.

Because Health Department officials could not easily contact every person on the list, they had to make a public announcement about the illegal disclosure of personal information.

Health department officials also sent everyone on the list a notification letter.

“We are taking every precaution possible and cooperating with law enforcement to assure all records are maintained with the utmost of security,” said Health Department Director Dr. Alina Alonso, in an email statement Friday.

The employee had been trained, O’Connor said, to handle medical documents and understand HIPAA laws – which protect patients’ medical and personal information from leaving the doctor’s office.

All of the county’s medical records are digitally filed on a central computer system programmed with firewalls that track users’ every move. The firewall records the name of the user and the time and date he or she accessed the files.

After viewing computer records, officials said there was indication the employee tried to access patients’ financial information.

But it is unclear how the employee transcribed the digital information to paper.

Financial experts say the temptation among clerical workers to sell data to the black market is growing stronger – because it can be so lucrative.

In the wrong hands, a patients’ name and social security number can offer criminals the opportunity to turn those simple strings of numbers and letters into a hefty profit.

All manner of fraud – whether to get credit cards, Medicaid, prescription drugs or refunds from the Internal Revenue Service – starts with data.

“That’s all a person needs,” said Webb, known as the “Fraud Dog” to colleagues.

The Internal Revenue Service may have delivered more than $5 billion in refund checks to identity thieves who filed fraudulent tax returns for 2011, the Associated Press reported on Thursday.

And financially, it could get worse: Treasury Department officials estimated thieves could pull an additional $21 billion over the next five years.

Others contend there is much more than money at stake.

“Your medical records can get mixed up with a criminal’s records,” said Mark Eichorn, assistant director in the Federal Trade Commission’s Bureau of Consumer Protection’s Division of Privacy and Identity Protection. “If you have an O positive blood type, you could end up with a criminal’s blood type in an emergency situation.”

So, how do you thwart identify theft?

If Eichorn had his way, agencies would no longer treat social security numbers as secret passwords.

“Social Security numbers should not be taken as proof that you are who you say you are,” Eichorn said, then suggesting the use of multiple numbers or passwords.

Health Department officials ask that anyone who has been a patient at one of the department’s seven health centers in Palm Beach County should review their credit history for any fraudulent or suspicious activity.

People who have had fraudulent activity should contact the Palm Beach County Sheriff’s Office at 561-471-7450.