Women alerted to ID theft risk

November 25, 2006

By Libby Keeling, Courier & Press staff writer


More than 7,500 Hoosier women are at risk of identity theft after two computers containing protected health information collected for the state were stolen earlier this month.

The computers were taken from a health center in Jeffersonville, Ind., that contracted with the Indiana Department of Health to manage information in the state's Breast and Cervical Cancer Program, department spokesman Erik Deckers said.

The personal information of women, whose BCCP-participating health-care providers are located in the lower third of the state, is stored on the computers stolen sometime the night of Nov. 6.

When Sharylon Douglass learned that her credit could be in jeopardy, the 13-year cervical cancer survivor was "scared" and "fuming."

Although she has now taken precautions to protect her identity, Douglass' anger has not subsided.

"My information has been given out to a location that I've never even heard of. I don't even know where Jeffersonville is," said Douglass, who resides in Evansville and is employed at the Evansville Courier & Press.

Data stored on the computers may include a woman's name, address, birthday and Social Security number as well as some medical and billing information, Deckers said. The data is protected by two passwords: one required to log onto the computer and one to access the BCCP information.

Jeffersonville is located across the Ohio River from Louisville, Ky., and the Jeffersonville Police Department is investigating the theft, which occurred when someone smashed a window to gain entry to the Family Health Center of Clark County.

"That's another one of my concerns. Where was their security system when this took place?" said Douglass, who was unaware her health information was part of the BCCP until she received a letter dated Nov. 14 from the state health department.

"I just assumed the doctor's office or clinic would keep that information until time to destroy it."

Medical providers participating in the BCCP offer free or discounted exams and provide related information to the state department of health in order to receive reimbursement, Deckers said, similar to providing information to a health insurance plan. The Indiana BCCP is part of the national BCCP public health program.

"I think, in a situation like this, the state needs to rethink sending medical records outside the person's county," said Douglass, 50. "It shouldn't be in anyone else's hands, other than that county or in the state capitol itself, under lock and key."

Within a week of learning of the theft, the health department mailed 7,700 letters to potential identity theft victims, Deckers said. The department also contacted the Federal Trade Commission, Indiana Attorney General's Office and Governor's Office.

An excerpt of the letter reads:

"Please be assured that every effort is being made to resolve this matter. In addition, steps are being taken to prevent any further occurrences of this nature." The stolen BCCP computers no longer can be used to access the department's statewide network, Deckers said. The account they utilized for access has been closed. The family health center has installed a new security system, he said. At the state level, information technologists plan to implement additional security measures for electronic data.

Typically, department of health information is password protected on remote servers in secure locations, Deckers said. The information on the stolen computers had been backed up, so it has not been lost.

The department recommends those vulnerable to identity theft:

- Request a free credit report from one of three major credit bureaus: Equifax, Experian or TransUnion (available online at www.annualcreditreport.com).

- Place a fraud alert on their credit records and monitor credit reports for unusual activity.

- Obtain an identity theft victim's kit (online at www.indianaconsumer.org) if someone else uses their identity.

main page ATTRITION feedback