Insider threat, redux
Tampa Bay Times reports:
Federal authorities say employees at James A. Haley VA Medical Center and Tampa General Hospital stole patients’ identities in tax fraud schemes.
Haley employee David F. Lewis is accused of taking the names and Social Security numbers of dozens of hospital patients and selling the information to people who used it to file fraudulent tax returns and get refunds, the U.S. Attorney’s Office in Tampa said Wednesday.
Lewis has a severe drug problem and acknowledged to investigators that he sold some of the patient information in exchange for crack cocaine, federal prosecutors said.[…]
From additional reporting by TBO, the VA case appears to be a different case than one back in October 2011 that involved records being removed from the Haley VA center. I don’t recall ever seeing an update to that one as to whether it, too, involved an insider.
But in another insider breach disclosed this week, the Tampa Bay Times also reported:
Meanwhile, a federal grand jury also this week indicted Tigi Moore, a clerk in Tampa General Hospital‘s records department, for taking the names and Social Security numbers of nine patients to file fraudulent income tax returns and collect the refunds.
Moore, who had worked at TGH since 1998, was placed on unpaid administrative leave in October when authorities notified the hospital she was under investigation, said TGH spokesman John Dunn.
According to the indictment, Moore took nine patients’ information last year between March and September and gave it to two men, Corey A. Coley Sr. and Albert E. Moore Jr., as part of a wider scheme that wound up defrauding the government of more than $671,000.
Prosecutors say that scheme also involved using the identities of minors on probation. Coley, a former probation officer for Florida’s Department of Juvenile Justice, was charged in March with using the juvenile defendants’ identities to collect fraudulently obtained income tax refunds. Albert E. Moore Jr., a Walmart employee, was also charged as part of the scheme.
The Coley case was covered on the companion blog, DataBreaches.net.
Note that again, the hospital only found out about the breach when notified by law enforcement. This has been a recurring theme in these tax refund fraud cases – the entity almost never detects the data copying or theft via their own internal mechanisms.