Thursday, May 25, 2006

Red Cross warns blood donors of possible ID thefts in Midwest

computerworld.com
Red Cross warns blood donors of possible ID thefts in Midwest
Todd Weiss

May 24, 2006 (Computerworld) About 1 million blood donors in the Missouri-Illinois Blood Services Region of the American Red Cross were warned last week that personal information about them could have been stolen earlier this year by a former employee and might have been used in identity thefts.

The former worker had access to 8,000 blood donors in a database she used in her job, all of whom were notified by mail of possible identity theft problems on March 17, according to the agency. But after the original warning letters went out, the Red Cross decided to expand the identity theft warnings to all 1 million donors in the Missouri-Illinois region because of concerns that she may have accidentally accessed other records in the larger group.

The warnings to the 1 million donors are being made through the media and the agency's Web site, not through individual letters.

At least four of the donors among the original 8,000 in the donor database were victims of the data-theft scheme, said Jim Williams, a spokesman for the regional agency. An investigation is continuing to determine if any other donors have been affected.

The thefts occurred when the former employee, a telephone blood-drive recruiter, entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims.

The former employee, 20-year-old Lonnetta Shanell Medcalf of St. Louis, then allegedly opened credit card accounts at several stores using the stolen information and made purchases valued at more than $1,000, according to a statement by the U.S. attorney's office in the eastern district of Missouri.

Medcalf began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered, Williams said. Medcalf had 8,000 donor contacts in her database out of more than 1 million donors in the region who were not affected by the data thefts. Her case is scheduled for trial on June 19.

The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters.

Medcalf has been indicted on three felony counts of aggravated identity theft and one count of credit card fraud in connection with the incidents, according to the U.S. attorney's office.

The Red Cross sent written notifications of the data breach to all 8,000 potential victims on March 17, advising them to contact credit bureaus to check their credit reports for any irregular purchases or activities. The agency is reimbursing any of the affected 8,000 donors if the credit reports can't be obtained for free. The agency also set up a toll-free hot line to aid any identity-theft victims of the incident and said it's taking additional security steps to ensure that such an incident doesn't happen again. All staff members are being reminded, for instance, that donors don't have to put their Social Security numbers into their Red Cross donor records.

The Red Cross also apologized for the incident and said it is working to improve security for such information.

If convicted, Medcalf faces a maximum penalty of 10 years in prison and/or a fine of $250,000 for the charge of credit card fraud. Each count of aggravated identity theft also carries a mandatory two years in prison consecutive to the credit card fraud sentence.

"We feel like victims here as well, but the ultimate victims are our donors," said Williams.