PA health system reports 144-patient data, identity theft

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://healthitsecurity.com/2013/03/13/pa-health-system-reports-144-patient-data-identity-theft/

In what’s turned out to be a multi-layered case, 144 patients of
Community Hospital in Chester and Crozer-Chester Medical Center in
Upland, PA had their names, dates of birth and Social Security numbers
stolen in an IRS tax fraud sting from January 2008 to September 2011.

Rafael Henriquez Polanco, 30, and wife, Yanira Lopez, 27, according to
delcotimes.com, allegedly filed fraudulent tax returns with fake W2
forms, sought $1.7 million in refunds and ended up with $257,710 in
return money from the U.S. Department of the Treasury. The couple had
paid hospital employees to steal confidential medical forms and from
there they would use those forms to steal patient identities.

The couple is facing charges ranging from conspiracy to defraud the
government, aggravated identity theft, passport fraud and presentation
of an immigration application containing a false statement. The report
also says that Lopez was charged with wire fraud and is looking at 52
years in prison if convicted while Polanco faces 32 years in jail if
convicted.

The U.S. Department of State Diplomatic Security Service, the
Department of Labor, IRS Criminal Investigations, and Immigration and
Customs Enforcement Homeland Security Investigations handled the case
and charges. But one has to wonder whether the Department of Health
and Human Services (HHS) plans on getting involved in the case to see
if Crozer could have prevented the patient data theft.

Polanco and Lopez were Crozer Keystone Health System and, according to
philly.com, Crozer spokesman Grant Gegwich said two employees,
non-professional employees of the hospital employees, have been
terminated for their involvement. While there were no other details,
Gegwich said procedures for handling and disposal of documents
containing patient information have been modified. Considering that
Gegwich said the hospitals were notified of the information theft in
October 2011, will those modifications be sufficient if HHS or the
Office for Civil Rights (OCR) comes knocking?
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.