A computer server containing Social Security numbers and other personal information of 700,000 people was stolen last month from a Southside debt-collection bureau in what appears to be the largest computer security breach ever in Indiana.
The information includes customer-billing records for about 100 Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group.
The exposed data was limited to past-due billing information that had been turned over for debt collection to the Central Collection Bureau, the agency announced Friday. Customers whose accounts were in good standing were not affected.
The bureau collected overdue bills on behalf of dozens of Indiana companies, including hospitals, medical and dental offices, window companies, water-conditioning companies and flower shops.
"We're obviously heartsick about this," said Chet Klene, the collection agency's president. "We've been in business since 1972, and nothing like this has ever happened before."
He said the missing computer server contained personal billing information that was protected by two passwords but was not encrypted. He said the server had been stored behind three locked doors.
Klene said the break-in occurred on Good Friday, March 20. The first employee arriving at work that day noticed the break-in and immediately called the Indianapolis Metropolitan Police Department, which investigated but has not found the server. The collection agency has notified companies whose billing records have been compromised, Klene said.
Joan Antokol, a lawyer specializing in computer security at Baker & Daniels, an Indianapolis-based law firm, said the breach was the largest she had seen in Indiana. No larger breaches in Indiana are included among the hundreds of incidents listed on Privacy Rights.org, a national clearinghouse.
"It's a problem that continues to grow," Antokol said. "There are new cases reported all the time. It's a serious problem."
Still, this breach does not rank among the top dozen or so nationally. Retailer TJ Maxx reported that as many as 100 million accounts were compromised as a result of thefts and hack-ins since last year.
The U.S. Department of Veterans Affairs said information on more than 28 million veterans might have been exposed after a laptop was stolen from an employee's house in 2006. Monster.com, a Web-based job service, said information on more than 1 million job seekers had been stolen last year, containing names, addresses, phone numbers and e-mail addresses.
A spokesman for Citizens Gas said its missing records were past-due billing statements for 51,000 former customers that it was unable to find on its own. The information included names, last known addresses, Social Security numbers, dates of service and amount due.
Citizens has no way of notifying the former customers because their whereabouts are unknown, spokesman Dan Considine said.
"We certainly take this very seriously, any time there is a security breach, and we hope it gets cleared up very soon," he said.
St. Vincent Health said it had not given any billing business to Central Collection in more than three years, so all of the missing billing information is several years old. The stolen information included patient billing information for St. Vincent Hospital and affiliated physicians' practices, spokesman Johnny Smith said.
"We're committed to protecting confidential information of our patients. We regret any inconvenience to them," Smith said.
Billing records of about 62,000 patients of Methodist Medical Group, a physicians' group owned by Clarian Health, also were missing, as are the records of thousands of patients at Howard Regional Health System in Kokomo.
The break-in is being investigated by IMPD and the Indiana attorney general's office.