Several California cities, including Los Angeles and Berkeley, are investigating the potential defrauding of more than 3,000 people who rode in city-owned ambulances after an employee at a Florida billing agency "deliberately and maliciously" accessed and stole sensitive customer data.
Patient information was used in attempts to defraud the Internal Revenue Service of misdirected tax refunds as part of a much larger organized-crime ring targeted by an ongoing federal investigation called "Operation Rainmaker," the San Francisco Chronicle reported Friday (Nov. 30).
The data breach, which occurred at Fort Lauderdale, Fla., Intermedix Inc., also affected fire departments and emergency-response teams in El Centro, Corona and Carlsbad.
Intermedix is a subsidiary of Advanced Data Processing Inc. (ADPI), of Roseland, N.J., one of America's largest payroll-services providers and one of the most well-regarded companies on Wall Street.
"I thought it was wrong to try to privatize ambulance billing for this reason," Pat McOsker, president of the Los Angeles firefighters' union told the Los Angeles Times in a story published Thursday (Nov. 29). "It's shameful, absolutely shameful, that some city contractor, a private company making a profit off this, has people getting access to people's private information."
Rather than billing patients directly, the Berkeley Fire Department also sends sensitive information to Intermedix, the San Francisco Chronicle reported.
Nine hundred and thirty-one individuals transported by city ambulances in Berkeley were affected; 913 in Los Angeles; and more than 1,500 in El Centro, a city of 42,500. Numbers were not available for the other two cities.
Not just California
Names, birth dates and Social Security numbers were stolen — the bare minimum needed to file fraudulent tax returns.
ADPI has been notifying municipalities and state attorneys general individually, but says that 27 agencies in 17 states are affected. The company has not said how many potential identity-theft victims are affected overall.
The data-breach blog PHIPrivacy.net said ADPI had told it the affected states were Arizona, California, Florida, Georgia, Kansas, Kentucky, Massachusetts, Maryland, Missouri, North Carolina, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, Tennessee and Texas.
Outside California, major cities known to be affected included Atlanta, where Grady Memorial Hospital reported some 900 victims; Houston, where Harris County Emergency Corps was said to be affected; Omaha; and Overland Park, Kan. PHPPrivacy.net has a running list aggregating the municipalities to which ADPI has sent notifications.
Intermedix discovered its own breach on Oct. 1 and began to notify affected organizations in the last week of November.
Notification of medical data breaches are subject to strict federal regulations under the Health Insurance Portability and Affordability Act of 1996, but non-medical data breaches fall under state laws, which vary widely. Many state laws do not mandate notification if the breached data system and the affected individuals are located in different states.
California has among the strictest notification laws, which may be why the California cities received full disclosure early on.
Although much of the information has been used to commit fraud and identity theft, no medical information was stolen, ADPI spokeswoman Lisa MacKenzie told the press.
It wasn't clear whether this breach was subject to HIPAA rules.
[ Why State Data-Breach Laws May Not Protect You ]
Better money than drug dealing
During an investigation, Florida police learned that an Intermedix employee was sending confidential customer information to defendants in a different tax-fraud case, bringing the crime to light.
MacKenzie did not name the employee, but said he has since been terminated.
The "Operation Rainmaker" group, based in Tampa, is accused of the theft of more than $100 million in tax refunds, much of which was spent on jewelry, automobiles and electronics.
Forty-nine arrests were made in September 2011, but the gang seems to still be active.
This past September, another 13 people were arrested and charged in the latest wave of breaches, although the Intermedix employee was not among them.
The scheme was simple: Armed with the names, birthdates and Social Security numbers of strangers, gang members would use electronic tax-filing software to file early returns in their names — and have the refunds sent to themselves, often in the form of debit cards.
Among those charged this past September was self-proclaimed "queen of tax fraud" Rashia Wilson, a suspect in Operation Rainmaker who allegedly made so much money defrauding the government that she, like many other suspected members of the ring, gave up her former profession as a drug dealer.