March 20, 2006
The High Cost Of Data Loss
The Victims
By Elena Malykhina, Larry Greenemeier, Marianne Kolbasuk McGee, and Paul McDougall |
Courtesy of |
Page 3 of 5
The Victims
We've lost control over our identities," says Eric Drew, who speaks from experience. Three years ago, while in the hospital battling leukemia, his name, Social Security number, and date of birth were used by another person to ring up $10,000 in fraudulent charges on credit cards opened in Drew's name.
It was an inside job. A lab technician who had tested Drew's blood at the Seattle Cancer Care Alliance gained unauthorized access to the hospital's computer records and used Drew's personal information to open credit card accounts. The technician, Richard Gibson, later turned himself in to the police and pleaded guilty to violating the Health Insurance Portability and Accountability Act. Gibson became the first person charged under HIPAA with misusing a patient's medical information for financial gain.
"It's disturbing that financial institutions issued credit cards without any [due] diligence that the real Eric Drew was in a hospital," Drew says.
Unfortunately, Drew's situation is all too familiar. There have been 8.9 million adult victims of identity fraud in the United States over the past 12 months, according to a report issued earlier this year by Javelin Strategy and Research and the Better Business Bureau. That's down slightly from the 9.3 million victims a year earlier, but not a sign of great progress. The problem "is not lessening significantly," says Beth Givens, director of the Privacy Rights Clearinghouse, a watchdog group that tracks data breaches that could lead to ID theft.
Givens partly blames creditors that are too willing to extend credit to people they don't know well enough and who are sometimes impostors working with false identities. "The credit evaluation process is automated," she says. "They're not looking for obvious red flags."
J. Alex Halderman, a doctoral candidate in computer science at Princeton University, about a year ago received a letter from the University of California, Berkeley, where he had been accepted as a graduate student in 2003, advising him that his personal data had been compromised. A university computer had been stolen that contained files with names and Social Security numbers of applicants and others at the university.
Berkeley warned people affected by the breach to be on the lookout for scam artists who might try to contact them under the pretense of being affiliated with the school. Halderman was shocked that two years after he applied to UC Berkeley, the application remained susceptible to a data breach. "It's amazing that data can be on file for years, even when you think you're finished with it," he says. "There's no way to take it back."
Although there was no evidence that Halderman's personal data was misused, he had a fraud alert placed on his credit file. That service lasted only 90 days, however, and he still worries that his information may fall into the wrong hands.
|
|
Warren Lambert gets word that his personal information may have been stolen from ChoicePoint.
|
|
Halderman checks his credit record regularly. The experience has left him feeling that laws do a poor job protecting people from identity theft. "You should be able to put a lock on your credit record that would require you to provide a secret PIN known only to you if you're applying for a loan," he says. Unfortunately, most states let people lock their records only after they've been victimized.
Keith Ernst of Durham, N.C., had his debit card number posted to an Arabic-language bulletin board on the Web in 2004, making it easy to reach through simple search engine queries. Several charges were rung up on his card, including a laptop purchase and an attempted tuition payment. "I got a phone call out of the blue saying that someone is using my debit card," Ernst says.
Ernst doesn't know how his debit card number got on the Web; he suspects it had something to do with a purchase he made on the Internet. He canceled the card and the bank restored the money that came out of his checking account, but Ernst learned a lesson. "I now use credit cards instead of debit cards when I shop online. I also pay a lot more attention to the vendors that I'm buying from," he says. "I would never buy from an unknown vendor."
Consumer confidence suffers at the hands of hackers and ID thieves and lax data protection measures. That means businesses ultimately feel the pain of their own negligence.
--