Date Reported:
2/13/08

Organization:
Tenet Healthcare Corporation

Contractor/Consultant/Branch:
None

Victims:
Patients*

*Tenet Healthcare Corp. owns 54 hospitals in a dozen states, including Hilton Head Regional Medical Center and Coastal Carolina Medical Center.

Number Affected:
37,000

Types of Data:
Social Security numbers and other personal information.

Breach Description:
A former employee working in the Tenet Healthcare Corporation billing center in Frisco, Texas has been convicted of identity theft.  Terrence Brooks worked for the company for less than two years and stole names, Social Security numbers and other personal information belonging to at least 90 patients, but also had access to 37,000.

Reference URL:
The Beaufort Gazette online story
The Sun-Sentinel online story

Report Credit:
Daniel Brownstein, The Beaufort Gazette

Response:
From the online sources cited above:

A former employee of a locally connected national hospital chain who was convicted of identity theft had access to the personal information of about 37,000 patients, according to a company spokesman.

Terrance Brooks, 30, of Fort Worth, was arrested Nov. 25 when he tried to open a Costco credit card using a state ID with fraudulent information, police said.

The company mailed letters last week announcing the security breach to anyone who could have been affected, said spokesman Steven Campanini.

Tenet also informed victims how to set up free fraud alerts at the nation's three major credit bureaus.

"There's an annoyance factor and we apologize for that," Campanini said. "We recognize consumer privacy is very important and take it very seriously."
[Evan] I am not personally a victim, but I am pretty sure that this surpasses "an annoyance factor" for some people.

The ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients, Campanini said. The company has paid to monitor the credit reports of those victims.

Terrence Brooks, 30, had access to 37,000 other accounts

He pleaded guilty last month to five counts of fraudulent use and possession of identification information and was sentenced to nine months in prison.
[Evan] Only nine months in prison.  In 2006, the average time it took victims to recover from identity theft was 607 hours.

He had passed a background check to get the Tenet job. Brooks was immediately fired when the company learned of his arrest.

"What's challenging in this situation is there was an employee intent on committing fraud," Campanini said. "No company can prevent that, but we can have practices in place to immediately address it when it does occur, and that's what we did."
[Evan] I agree that preventing employee fraud is challenging, but reducing risk is very impossible.  There are several things that companies can do to reduce the risk significantly (segregation of duties, job rotation, cross-training, etc.).  Access to Social Security numbers should require an additional level of clearance and this clearance should be closely scrutinized.  The normal "run of the mill" billing work does not require Social Security number access.

"I'm more concerned with what could happen than what has happened," Ashley Latzer a person that received one of the Tenet notification letters.
[Evan] More than an "annoyance"?

Tenet patients concerned about the security of their personal information may call a company hotline at 1-800-553-6101 between 8 a.m. and 6 p.m. weekdays.

Commentary:
I am concerned with how many people in companies have unnecessary access to confidential information.  One of the first steps in reduding risk of employee fraud is to limit access to confidential information to only when it is absolutely required.  The resolution of most customer service, help desk, and billing calls don't require Social Security numbers, credit card numbers (including CVV2), and other sensitive information. 

I don't know enough about how Tenet manages its data and billing center, but I am sure that creative information security solutions could reduce the risk of this happening again.

Past Breaches:
Unknown