[SecurityRatty] tag: seniors

CBAC & Medical Identity Theft

Thu, 10 Jul 2008 06:09:41 +0000

Good story to keep in mind for those of you working on CBAC. Claims neeed protection and verification. Why steal an identity when you can capture a claim? (hattip: askelizabeth)

The Sopranokovs

The Russian mob comes to town with a new scam—medical identity theft.

When FBI special agent Ted Price peered through the window of a dingy brick storefront on Southwest Morrison Street in March, it was what he didn’t see that caught his attention.

The business, called UnimedCorner, claimed to provide ailing seniors with orthotics—braces and other devices to correct foot, joint and back problems.

Price and other federal investigators were skeptical.

On Unimed’s showroom floor, Price saw wheelchairs, motorized scooters, a variety of canes and, on the walls, a selection of amateurish paintings and framed photographs. There was no evidence, however, of the kinds of equipment for which Unimed had billed Medicare nearly $2 million in the previous couple of months.

“I observed wheelchairs and canes through the window but did not see any orthotics in the store,” Price later wrote in a search-warrant affidavit. “It is a sign of fraud that the store is not stocking the items [for which] it is billing.”

By the time Price arrived on the scene, the company’s owner, a shadowy Russian immigrant named Alexandr Shcherbakov, was long gone.

Today, Shcherbakov’s store sits undisturbed. The message light on the phone blinks, dead potted plants droop and a stuffed toy monkey slumps in a glass display case.

And behind the cash register hangs a framed poster of television’s best-known mobsters, the Sopranos.

From interviews and information presented in federal affidavits, it is clear Shcherbakov moved to Oregon to commit a crime elegant and lucrative enough to make Tony Soprano envious: medical identity theft.

...

“Medical identity theft is the new frontier for organized crime,” says Alex Johnson, a former FBI agent who investigates fraud for Regence BlueShield. “Pretty much anybody can set up a mom-and-pop operation and start cranking out claims.” Someday, most Americans will need a cane, wheelchair, home hospital bed or another of the items healthcare professionals call “durable medical equipment,” or DME.

For those over 64 and without private insurance, there’s a good chance federally funded Medicare will pick up the tab for that equipment. Last year, according to federal statistics, Medicare spent $8.6 billion on DME.

Here’s the way the system is supposed to work: A doctor prescribes a device such as a wheelchair for a patient, who presents his prescription to a DME supplier. The supplier provides the equipment and bills Medicare, which typically pays 80 percent of the cost. Unlike pharmacists, who fill prescriptions under strict scrutiny of state and federal watchdogs, DME suppliers are lightly regulated. “DME is very vulnerable to fraud,” says Consuelo Woodhead, the chief healthcare fraud prosecutor for the U.S. Attorney’s Office in Los Angeles. “It doesn’t require any background in medicine, any kind of professional licensure or appreciable capital.

There are barriers of entry in other medical fields, but not in DME.” To operate, DME suppliers simply need a place of business, a business license and liability insurance. Unlike pharmacists, DME suppliers operate under an honor system: The feds count on them to supply the equipment they claim to provide to the beneficiaries who need it.

That honor system is not working.

The epicenter of DME fraud, according to the federal Department of Health and Human Services, is South Florida, where Medicare billing for DME quadrupled from 2002 to 2006 to $1.7 billion. Investigators found much of that increase was due to fraud. In 2006, federal inspectors revoked the licenses of 634 DME suppliers in South Florida, nearly half the DME dealers in the region.

Later the same year, raids in Southern California yielded similar results: The feds shut down 95 DME suppliers. Many of the DME suppliers shut down around Los Angeles were run by immigrants from the former Soviet Union. It’s probably no coincidence that when the feds raided Los Angeles DME suppliers, some Angelenos fled to cities where there was less scrutiny—such as Portland.

i-safe has some great articles for your online safety

Wed, 02 Jul 2008 19:25:39 +0000

They have a bunch of learning modules for kids to seniors to law enforcement.
Check em out.

clipped from ilearn.isafe.org

Which module do I watch?
There are five options with five different users in mind. Those registered as educators with i-SAFE have the greatest
access to view the modules because you work closely with students and parents. Those registered as parents and fifty+
have access to either of those modules since many users fit both categories. However, students are limited to the i-MENTOR
Training Network. And the Operation i-SHIELD module is reserved for those in law enforcement. Below is a breakdown of each
module. To begin, please register by creating a user name and password at the top of this page. That will help direct you to
the appropriate i-LEARN module. Enjoy!

Hacking Case Shuts Out Valedictorian, Other Seniors

Wed, 04 Jun 2008 23:28:04 +0000

And what did we learn today class? That’s right. Hacking the school computers has consequences associated with it.

Now slap yourself and head back into the detention hall. Dumbass.

From the Houston Chronicle:

George Bush High School’s valedictorian is among a group of Fort Bend Independent School District seniors who will not be allowed to take part in graduation ceremonies because of an investigation into tampering with the district’s computer network.

Khurrum Khan, 18, is the only valedictorian involved in the computer tampering incidents, which also occurred at Hightower and Elkins high schools, district spokeswoman Mary Ann Simpson said Tuesday.

The speech at the Bush graduation ceremonies will be given by the class salutatorian Saturday.

I recall this one. I wrote about this a while ago. But this part still amazes me,

The case is a potential a felony because investigators estimated the financial loss to the school district at a minimum of $190,000.

Sure block them from the grad ceremony, fair enough. But, 190K? Bite me.

Article Link

Academy Learning Centres stolen computers affect seniors

Thu, 29 May 2008 05:14:25 +0000

Technorati Tag: Security Breach

Date Reported:
5/22/08

Organization:
Academy Hearing Centres

Contractor/Consultant/Branch:
None

Victims:
Patients (mostly seniors)

Number Affected:
"Dozens"

Types of Data:
Names, addresses, credit-card numbers, health information and health-card numbers

Breach Description:
"Dozens of Calgary seniors are alarmed after learning their credit-card numbers, addresses and health-card numbers were stored on computers that were stolen recently. The Academy Hearing Centre in Brentwood Mall, which provides hearing tests and equipment, mostly to seniors, recently mailed out letters warning of the theft."

Reference URL:
CBC News

Report Credit:
CBC News

Response:
From the online source cited above:

Dozens of Calgary seniors are alarmed after learning their credit-card numbers, addresses and health-card numbers were stored on computers that were stolen recently.

The Academy Hearing Centre in Brentwood Mall, which provides hearing tests and equipment, mostly to seniors, recently mailed out letters warning of the theft.

The Academy Hearing Centre refused the CBC's request for an interview, saying only that there is no need for clients to be alarmed.
[Evan] This is it? Is this indicative of the service that one could expect from Academy Hearing Centres? Organizations should be more open and willing to talk about what they do to protect confidential information, unless they don't know themselves. Shame shame.

Victim Reaction(s):
"I got scared," said one elderly female client who purchased a hearing aid from the company.

She requested that her name not be released because she is worried about her security.

The woman said the thieves nabbed her name, address, health information and Alberta health-care number.

"It's the same thing, like somebody steals your social insurance number," she said.

She added that she was unable to change her health-card number.

"I called up Edmonton, the health insurance centre, and she said you have to wait about six months. Just have to notify your doctor, the family doctor. So somebody might be using my number, so let's hope it won't happen."

Commentary:
I wish I had more information to share about this breach, but this is all that is publicly available. In anyone has anything more to share, please feel free to comment. Posted on the Academy Learning Centres web site:

"if there is any question left unanswered, please do not hesitate to contact one of our team directly by calling: ph: 403. 210. 2482."

If you suspect that you may be affected by this breach, or if you want more information, I suggest that you call. Victims can demand answers; after all they are the data owners. What makes this breach especially difficult is the fact that it affects customers that are generally easy victims of fraud and deception.

Past Breaches:
Unknown

Way to go Dennis!

Sun, 25 May 2008 10:56:04 +0000

A story with a good ending. So many Vets dont get what they deserve form us.

clipped from www.steamboatpilot.com

Country, community, commencement

Craig — The year was 1964, and Dennis Collins, a wild, 17-year-old Moffat County High School junior, had a family tradition to follow and a country to protect.

Collins, 60, joins more than 150 high school seniors in donning cap and gown and receiving their high school diplomas during commencement services in the MCHS gymnasium.

Wellesley seniors' personal information lost in mail

Fri, 29 Feb 2008 08:48:00 +0000

Technorati Tag: Security Breach

Date Reported:
2/29/08

Organization:
Town of Wellesley, Massachusetts

Contractor/Consultant/Branch:
Wellesley Health Department

Victims:
Certain town residents who received flu shots, all over the age of 65

Number Affected:
480

Types of Data:
Names, dates of birth, addresses, and Social Security numbers

Breach Description:
An envelope containing sensitive personal information belonging to seniors was sent from the Wellesley Health Department to a Medicare processing office in Charlestown. When the envelope arrived it was missing the list of information. The U.S. Postal Inspection Service and local police are investigating.

Reference URL:
The Boston Globe
WCVB-TV Channel 5
The Boston Herald

Report Credit:
WCVB-TV Channel 5 News

Response:
From the online sources cited above:

NewsCenter 5's Steve Lacy reported that the seniors got the flu shots last fall and then, last week, the town sent an envelope with all their personal information, including names, ages, addresses and Social Security numbers to Medicare as part of the reimbursement process.

All those listed were age 65 or older.
[Evan] Wonderful. Seniors are typically the easiest targets with much to lose.

The roster was mailed Feb. 21 by the town to Medicare for reimbursement.

The envelope arrived but was missing the list of names

Wellesley police were notified and launched an investigation, as has the U.S. Postal Inspection Service.

The sealed envelope was reportedly hand-delivered to the post office for mailing, which reduces the chances the information was stolen.
[Evan] This does not reduce the risk to a point that would be acceptable to me. Hand delivering the envelope to the post office eliminates one opportunity (maybe two) for loss, and that is between the Health Department office and the post office. It does not take into account theft or loss at the post office, between post offices, between the destination post office and the Medicare processing office, or within the Medicare processing office. Not to mention data destruction procedures once the information has been entered into the systems. In my opinion, this is a poor attempt at minimizing the situation.

The Postal Service is trying to determine whether theft or mechanical failure was to blame.

"There would be no reason why we would have questioned or hesitated using the US Postal Service to do this," Cohen said of the department's choice to send personal information through the mail. "We've been doing it for years this way. And I suspect most providers do it this way.", Shepard Cohen, chairman of the Board of Health in Wellesley
[Evan] Really? Do you think it's OK to send personal information including Social Security numbers in the mail nowadays? This is a fantastic opportunity for identity thieves. If I had a dime for every time I've heard "We've been doing it for years this way", I would be a rich man. Times change, people change, technology changes, an ______ changes (fill in the blank). Don't you think processes should change too?

One possible sign of ID theft is if consumers fail to receive bills, because thieves sometimes change mailing addresses to cover their tracks. Another is if consumers receive credit cards they did not apply for or if they are suddenly denied credit. Also, if consumers receive telephone calls about items they have not purchased.

The town said it will be mailing letters to anyone effected by early next week.

Commentary:
I wish that Mr. Cohen was wrong when he stated "I suspect most providers do it this way", but I would be fooling myself if I thought it weren't true. Most providers probably do follow similar processes that put confidential information at risk. Confidential information is money in the right (or wrong) hands.

Possible solutions...
Don't use Social Security numbers as identifiers (probably a lot of work!).
Send the information on an encrypted CD.
Send the information through a VPN
______ (add your own).

Past Breaches:
Unknown

Pennsylvania Department of Aging seniors affected by stolen laptop

Thu, 03 Jan 2008 14:18:52 +0000

Technorati Tag: Security Breach

Date Reported:
12/19/07

Organization:
State of Pennsylvania

Contractor/Consultant/Branch:
Department of Aging

Victims:
Pennsylvania senior citizens

Number Affected:
21,000

Types of Data:
Names, addresses, Social Security numbers, medical information and list of services received from the state.

Breach Description:
A laptop computer containing sensitive personal information belonging to Pennsylvania senior citizens was stolen from a Department of Aging employee's home on December 5, 2007.

Reference URL:
Patriot News Story (original)
Patriot News Story (updated)

Report Credit:
Jan Murphy, Patriot News

Response:
From the online sources cited above:

A state Department of Aging-owned laptop computer containing personal information on nearly 21,000 senior citizens was stolen from a Johnstown home during a Dec. 5 break-in.

The computer was issued to a department employee who works with the agencies on aging in Indiana, Union, Snyder and Clearfield counties

Police suspect the computer was taken for its street value
[Evan] Why would they suspect this? Criminals are not too bright for the most part, but the value of the computer is maybe $1,500. The value of the information is maybe $20+ per record (depending on quality). $20 x 21,000 = $420,000! $420,000 or $1,500?

There have been no reports of misuse of the information, which included names, addresses, Social Security numbers, some medical information and the services clients received

The affected seniors are in the process of being notified, and credit protection from TransUnion will be provided for 90 days at a cost to the state of $23,000
[Evan] 90 days? Why even bother?

Seniors then have the option of having the credit protection extended for a year at the state's expense.

Information on the computer was double password protected
[Evan] Oooh. Double password protected?! Nothing more than a minor nuisance to circumvent.

the department was in the process of encrypting computers and has since completed that work to provide additional protection
[Evan] Amen! The department has seen the light!

It also is in the process of centralizing information about clients so that the information does not have to be downloaded onto laptops when employees are out in the field, but that work is not completed
[Evan] Another good security practice.

Commentary:
The Pennsylvania Department of Aging should be commended for their decision to encrypt computers (complete) and centralize confidential information (in-process). These are two wise security decisions that will reduce the risk of future exposure. Obviously, there is much more that goes into an effective information security program and risk management, but we can assume that the department is taking these matters very seriously. Maybe the four breaches occurring at the State of Pennsylvania in the past four months spurred the changes, or maybe they were already in the process of making changes and these are unfortunate circumstances.

It stinks that these 21,000 seniors were on a computer that had not yet been encrypted.

Past Breaches:
December, 2007 - Stolen Pennsylvania Department of Public Welfare computer
September, 2007 - Pennsylvania Department of the Auditor General stolen laptop
September, 2007 - Stolen Pennsylvania Department of Public Welfare computers, 375,000 victims

Some Massachusetts seniors are at risk

Tue, 04 Dec 2007 13:17:26 +0000

Technorati Tag: Security Breach

Date Reported:
11/30/07

Organization:
State of Massachusetts

Contractor/Consultant/Branch:
Executive Office of Health and Human Services

Victims:
Prescription Advantage insurance program members*

*Prescription Advantage is a state-run program that offers drug insurance to seniors in Massachusetts.

Number Affected:
150,000

Types of Data:
"personal information"

Breach Description:
Authorities arrested an identity thief in August, 2007 who had been using information obtained from the Massachusetts Presrciption Advantage program in an attempted identity theft scheme. It is not yet clear how the thief obtained the information.

Reference URL:
PC World Story
Information World Story
The Boston Herald Story

Report Credit:
Associated Press via The Boston Herald

Response:
From the sources cited above:

Thousands of senior citizens are being warned about a computer security breach involving the state’s Prescription Advantage program.
[Comfyllama] It seems like senior citizens are among the easiest prey for identity theives.

Executive Office of Health and Human Services spokeswoman Alison Goodwin wouldn’t say what kind of personal information may have been compromised, such as names, addresses or Social Security numbers.

Local authorities arrested a lone identity thief in August who had been using information taken from the program in an attempted identity theft scheme, said Alison Goodwin, a spokeswoman for the state's Executive Office of Health and Human Services.

Goodwin could not add many details on the nature of the breach, citing an ongoing criminal investigation, but she said Prescription Advantage is conducting an internal review of the incident to determine if additional security measures might be required.
[Comfyllama] If data leaked, then I would say that additional security measures are probably required. Sounds obvious, but to some it just doesn't sink in.

The data breach did not affect all members of the program, Goodwin said
[Comfyllama] I wonder how this conclusion is drawn? If the breach does not affect all 150,000 then why inform 150,000? Maybe Prescription Advantage doesn't know who was affected and who wasn't.

Prescription Advantage recently began notifying 150,000 members potentially affected, as required by state data-breach laws.

"A few members were recently the victims of attempted identity theft," the state said in a Nov. 19 letter sent to possible victims.
[Comfyllama] OK, here it states that a few members were victims of identity theft and earlier statements said the identity thief "had been using information taken from the program".

The staff that maintains the program has "no reason to believe" that any Prescription Advantage members' data has been misused, the letter adds.
[Comfyllama] Here, the letter states that there is no reason to believe that any data was misused?! A little confusing and contradictory. If confidentiality cannot be assured, assume it has been lost.

Members who have questions about the breach can call Prescription Advantage during regular business hours: 1-866-523-6846 or 1-877-610-0241 for those who are hearing impaired.

Commentary:
Much is left in the dark about this breach. I certainly hope that more details are being shared with victims. They should demand it.

I am curious about too many things to even mention them all.

Past Breaches:
October, 2007 - Massachusetts DPL sends Social Security numbers in mail

NY STAR: An accident waiting to happen

Thu, 02 Mar 2006 19:37:31 +0000

The New York State School Tax Relief (STAR) program is an identity theft “accident” waiting to happen. Homeowners apply for property exemptions on their primary residence, and file with their local tax assessors. (In the first year or so of this program, total chaos ensued in assessor’s offices all over the state.) Extra tax exemptions for senior citizens are means-tested, and require homeowners to submit their SSN or a copy of their income tax returns to the local assessor.

In New York City, they want SSNs from everybody. Just because it’s authorized by law (in the NYC Administrative Code) doesn’t mean it’s a good idea. Everywhere else, they’re only collecting SSNs or income tax returns from low-income seniors.
It’s hard to justify leaving so much personal financial information sloshing around assessor’s offices all over the state. And which is worse: copies of tax returns in piles in sleepy small-town assessor’s messy offices, or huge indifferent big-city assessor’s chaotic offices? Need to know? Mind your own business.
As their normal traffic is public information, assessors are not necessarily tuned to protecting private personal information. For a recent example of a public record agency handling private data, see the story of how the Suffolk County (NY) clerk’s normal processes put a few thousand SSN’s in the public record [via Emergent Chaos].
Perhaps all these violations of “don’t ask for information you don’t need” and “don’t store information you don’t need again” were less serious even a few years ago, but the consequences of these old ways are getting worse every day.
Though it’s hard to patch the process perfectly, one simple fix would be to direct the flow of sensitive information away from local offices, e.g. create a state tax return checkoff that allows the income tax people to inform the assessors about eligibility and primary residence status without revealing any income information.
Well, the politics is irritating too. Creating yet another “take with one hand, give back with another” program is inefficient, and clearly its primary purpose is to create an opportunity for attaching a politician’s name to a tax cut, with extra discrimination making the program harder to kill.

Update 3/7/2006 see also: The public servants at the Ohio secretary of state insist on treating documents that pass through their hands as public despite embedded SSNs.

Update 4/11/2006 see also: Broward County (FL).