Data Breach Linked to Tax Fraud Ring
Alabama Dept. of Public Health Notifying 1,200 Young AdultsThe Alabama Department of Public Health is contacting about 1,200 individuals born in 1995 and 1996 who have had their information compromised and could be potential victims of a $20 million tax fraud ring that is being prosecuted by federal law enforcement.
See Also: Gartner Guide for Digital Forensics and Incident Response
On June 5, the U.S. Attorney's Office for the Middle District of Alabama and the U.S. Department of Justice's Tax Division notified the state public health department that the agencies were prosecuting a case involving the theft of personal information used for criminal activities, including the filing of 7,000 false tax returns for 2011 and 2012. Prosecutors allege the fake filings resulted in $20 million in fraudulent tax refund payments to a fraud ring that was headed by a former military hospital worker.
The law enforcement agencies determined the information used to commit the fraud was stolen from a number of entities, including Alabama's public health department as well as an Army hospital at Fort Benning, Ga.; the Alabama Department of Corrections; and a unidentified Georgia call center.
Information stolen from the health department may have included clients' names, dates of birth and Social Security numbers, state officials say. Government officials have not indicated whether patients' medical data was also stolen.
The Alabama department recently notified the U.S. Department of Health and Human Services' Office for Civil Rights of the breach affecting 500 or more individuals, as required under HIPAA, Samarria Dunson, the department's assistant general counsel and privacy officer, tells Information Security Media Group.
Reaching Out
Alabama public health officials have been contacting about 1,200 individuals whose data is believed to have been compromised, but it's not yet clear how many of those, if any, are victims of the tax fraud ring, Dunson says.
Many of those being notified received their last health services from the department more than a decade ago, she says. As a result, the agency has outdated contact information, including addresses, for many of those individuals, Dunson says. So the department has been dedicating the efforts of "several people in tracking down current contact information for the victims," she says.
In addition, because the breach victims are young adults, ranging in age from 18 to 20 years old, Alabama officials are reaching out through social media, including Facebook and Twitter to get word out about the incident, she says.
While the public health department is not offering free credit monitoring services, it is instructing those affected by the breach who believe they may have been a victim of fraud to contact the three major credit reporting agencies, as well as the Federal Trade Commission. The department is also instructing individuals who believe they have been victims of fraud to complete a special form and submit documentation as proof to the Department of Justice no later than July 31. And it's advising individuals who believe they are victims of tax fraud to contact the IRS.
Fraud Ring Case
In an indictment first filed in February but updated in May, the Justice Department is charging ten individuals for dozens of crimes that include conspiracy, wire fraud and tax fraud. Prosecutors allege that the ringmaster of the fraud was Tracy Mitchell, a former employee of a military hospital at Fort Benning in Georgia.
Indictment documents do not disclose the job or role Mitchell held at the hospital or when she worked there. A spokesman for the Justice Department's office in Alabama also tells ISMG that he does not know what Mitchell's job was at the military hospital, but that "she had access to a lot of information." He also could not confirm whether Mitchell previously worked for the Alabama Department of Public Health or whether there were any other connections between the fraud case and the health department.
Beefing Up Security
As a result of the fraud case coming to light, the public health department has implemented several measures to improve its data privacy and security efforts, Dunson says. That includes limiting employees' access to patient information based on the location where the employee works and their role, enhancing use of audit logs and bolstering training.
For instance, with its enhanced audit logs, managers are now alerted when employees attempt to log in to systems during unusual times or off-hours or attempt to inappropriately print out reports, she says.
Also, the department's workforce, which includes 4,000 employees in 65 counties, is being required to take privacy and security "refresher" training, Dunson says. That includes making employees aware of activities considered criminal - and their consequences - and also encouraging staff to report suspicious behavior to supervisors.