Agriprocessors Inc Raided by ICE - from Yeshiva World News

BREAKING: Agriprocessors Raided By US Immigration Police, 700 Estimated Arrested

According to The Des Moines Register, US Immigration officials are currently raiding the nations largest Kosher meat-packaging plant, Agriprocessors Inc., located in Postville, Iowa. Agents with U.S. Immigration and Customs Enforcement on Monday issued criminal search warrants for aggravated identify theft and fraudulent Social Security numbers.

Agency spokesman Tim Counts told the Waterloo-Cedar Falls Courier that civil search warrants also were issued for illegal immigrants, and agents and medical professionals are evaluating those who have been arrested.

Immigration officials told aides to U.S. Rep. Bruce Braley that they expect 600 to 700 arrests. About 1,000 to 1,500 people work at the plant, according to Iowa Workforce Development.

Earlier this morning, a helicopter hovered over the scene, and a number of agents formed a perimeter around the Agriprocessors facility. Vehicles from ICE and at least eight cars and vans from the Iowa State Patrol were at the plant. There were also reports of two moving vans at the scene, along with an ambulance and two black Chevrolet Suburbans. Additionally, four Homeland Security buses with U.S. Immigration and Customs tags on them have entered the Agriprocessors Inc. complex.

Further details will be posted by YWN as soon as an offical statement is issued.

---

With a sense of shame I ask, what is a good definition of Chillul HaShem? I can defend Agri against the PETA idiots. I can brush off comments about working conditions. I cannot ignore allegations of facilitating identity theft. One of the APRPEH blog missions is to educate about ID Theft. There are far too many people whose PII (personal identifying information) is being used to facilitate identity theft. I surely hope that Agri can be cleared here, but given the Swift meat raids in 2006, still in the courts, Agri is looking at significant legal bills and possibly jail time for executives or managers.

Not all ID theft is related to new account fraud. Actually according to the FTC (FTC data), only about 20% - 25% of ID Theft is related to fraud one would uncover reading a credit report. Employment fraud is a troublesome sort of ID Theft to clear up. A victim becomes aware of this type of fraud usually by the IRS after receiving a notice of failure to report earnings along with a notice to pay what they owe along with a penalty. I have assisted consumers through this mess of IRS and Tax Payer Advocate contacts a number of times. Consumers can continue year after year having to deal with this problem which often delays refund checks and forces the consumer to spend hours on the telephone talking to the IRS, visiting offices, making copies and mailing off disputes. Usually, the problem is correctable provided a consumer knows what to do or has professional assistance. In terms of Agriprocessors Inc, the least worst scenario is that someone or job company was feeding "pre-screened" employees to them.

The second to worst scenario is that Agriprocessors Inc is providing the IDs to these workers or can be shown to be giving a wink and nod to the practice essentially helping to facilitate fraud. The third worst scenario, (or in combination) is the voluntary giving over of IDs by select consumers for Agriprocessors Inc.'s use. This is pure theorizing on my part only and I have NO inside knowledge as to what is occurring at Agri nor is it intended by me to appear that I do or as Loshon Hara. I am merely sharing my professional experience of cleaning up the mess of employment based ID Theft.

Agriprocessors Inc., if guilty of facilitating ID Theft may be finished, which is shame and definite loss to the kosher consumer.


Des Moines Register story 'largest in Iowa history'

Shamis story

A Review of the 2008 HIMSS Analytics Report: Security of Patient Data

HIMSS Analytics (short for Healthcare Information and Management Systems Society); a “think-tank” for the healthcare management world has just released the 2008 HIMSS Analytics Report: Security of Patient Data. Press release.

This report examines the security of patient personal identifying information (PII) and protected health information (PHI). In the current data breach crazy world, this is a timely report which tries to get beneath the surface of the needs of health professionals to balance quick access to secure patient health records and the need to protect not only patient privacy but prevent access to information which could lead to identity theft.

In discussing PHI and PII it is important to first establish a fact. Unauthorized access to PII no matter where it may be found could lead to identity theft. Unauthorized access to PHI alone, will not lead to financial identity theft in most cases. It could be used to help a fraudster identify a possible victim by placing the consumer/victim in a particular location and may give the fraudster a hint as to vulnerabilities of the consumer. It is also unlikely to result in medical identity theft. In terms of useful information needed to perpetrate identity theft, the date of birth and Social Security Number are far more valuable than PHI. A consumer may feel that their privacy has been violated when PHI has been exposed but unless PII is included in the breached data, the patient is only marginally more likely to be exposed to identity theft than other non-breached consumers.

Health care organizations or as HIPAA labels these “covered entities,” must still treat all the personal information of their clients/patients the same. Other privacy obligations affecting the health care world are mandated from Sarbanes Oxley and Gramm-Leach-Bliley. In some cases, the PCI Data Security standard may also apply. Compliance with these three laws and the PCI Standard obligates a health care entity to take formal steps to implement reasonable privacy and security policies and procedures.

The HIMSS report may reflect a gap between reasonable policies and procedures and practice. Most healthcare facilities responding to HIMSS “indicated that their organization has a security policy in place. (p .4 of the report).” The study continues that these policies are reviewed regularly and that “85 percent of respondents indicating that their policy was updated on an annual basis, if not more often. (p. 4 of the report).”

Yet, the report also indicates that employees are considered the greatest threat which could cause a data breach of patient information, (p. 6, p. 15 of the report). The respondents indicated that even though part of new hire training involved security related matters, (95% of respondents) only 64% of the respondents require some form of on-going security training refreshing (p. 8). On the surface, it is fair to conclude that health care facilities do not place much faith in their security training. This is an area which could be addressed by implementing security mindedness to all areas of training and to every separate task performed in the facility. Or as quoted by Brian Lapidus, Kroll Fraud Solutions Chief Operating Officer and survey sponsor in the press release:

"There's a dangerous assumption in the healthcare industry that education leads to policy implementation and change," said Mr. Lapidus of Kroll. "Best practices in data security cannot be achieved by employee training alone. Organizations must make data security a part of their DNA, reflected in every aspect of business operations."

Maybe some of this detachment between policy and practice identified in the report can be traced to healthcare organizations focusing much of their security effort and resources on IT related security at the expense of employee training. Ninety seven percent (97%) of the respondents have implemented “Technical IT security” while only 70% have implemented formal education courses. This disparity can be compared and contrasted to the actual reporting of how breaches occurred amongst the respondents. The HIMSS results reveal that the health care management concern regarding employees is justified, with employee originated “unauthorized use of information” leading to 62% of all breaches followed by 32% of respondents blaming “wrongful access of paper-based patient information”, (pg. 18). In addition, in response to the question “who was the perpetrator of the security breach?” 80% identified a current employee. While improper release of PII or PHI may have originated with an employee 62% of the time only some of these occasions are likely the result of a blatant attempt to steal information and many of these are probably unintentional consequences of the busy and often demanding need to react with haste in a health care setting.

Based upon this research, healthcare facilities and employers seem to understand what causes data breaches however address these concerns ineffectively. A concentration on data security from the IT perspective is not addressing the fact that employees with authorized access to information, and causing breaches whether intentionally or unintentionally is the most significant threat to patient privacy and prevention of identity theft. Better background screening and higher thresholds for new hires may address some of this problem. The effort to implement a national health record access system may or may not solve this problem; however, such a solution may or may not make theft of information easier. Healthcare management is left with the daunting task of figuring out what change is needed to that will prevent patient PII and PHI from being breached yet keep it accessible for those health care professionals who need it. Based upon the HIMSS results, the policies and procedures at many of America’s health care facilities need to be re-evaluated with a mind to stimulating a culture of data security. A copy of the report can be downloaded here.

Rating Credit Safety

Javelin Announces Security Elements of Dream Credit Card to Fight Fraud; Scorecard Ranks Best Card Issuers in Consumer Fraud Protection

[August 01, 2007]

Javelin Announces Security Elements of Dream Credit Card to Fight Fraud; Scorecard Ranks Best Card Issuers in Consumer Fraud Protection

SAN FRANCISCO --(Business Wire)-- Today Javelin Strategy & Research announced the security features of a dream credit card that put consumers in the driver's seat when it comes to protecting them from identity fraud and knowing exactly what's happening with their accounts. Javelin also announced the top credit card issuers that provide the best features that prevent, detect and resolve identity fraud. The findings are detailed in Javelin's comprehensive research study, "2007 Card Issuers' Identity Safety Scorecard."

"Card issuers have a golden opportunity to increase loyalty and retention, and strengthen relationships and their brand reputation, by giving consumers simple identity fraud prevention tools they like to use," said James Van Dyke, President of Javelin Strategy & Research. "Identity fraud is a major pain point for consumers and can damage the relationship between the consumer and the card issuer."

Why it's important to address identity fraud today

Last year, 8.4 million Americans became victims of identity fraud, with total fraud amounting to $50 billion. The average victim paid $587 out-of-pocket for fraud on an existing account. If the thief opened a new account in the victim's name, the average victim paid $792. On average, victims spent 25 hours resolving their fraud case(1).

Security elements of a dream credit card for protection against identity fraud

Javelin's research has determined the optimal combination of available, effective tools and policies that best protect consumers. Below are the ideal security elements of a dream credit card and research findings in support of them:

For Fraud Prevention

-- Provides customers the ability to restrict or allow certain types of transactions (e.g. cash advances, foreign transactions, card-not-present transactions).

-- Uses identifiers other than social security numbers for identity verification.

-- Truncates all customer-sensitive data while interacting with customers.

-- Encourages customers to protect their home computers with anti-virus software by partnering with security software vendors (e.g. Bank of America's partnership with Symantec).

-- Offers photo of account holder on card.

For Fraud Detection

-- Provides mobile device or email alerts of high-risk changes to accounts (e.g. replacement card sent out, PIN or password reset, change of physical address or email address), initiation of higher-risk transactions (e.g. card not present, foreign transactions, activity on dormant account), and status of accounts (payment past due). Over two-thirds of account takeover cases are due to a fraudulent change of address. Alerts for changes to personal information are one of the top desired alerts by consumers.

-- Notifies customers of new account set-ups. New accounts fraud is traditionally the most difficult for consumers to detect. Credit cards continue to be the most abused category of fraudulent new accounts.

-- Facilitates consumer ordering of credit reports and credit monitoring services. New fraudulent accounts can be virtually invisible to a consumer without a credit monitoring service.

For Fraud Resolution

-- Institutes a comprehensive, up-to-date data breach resolution plan.

-- Provides an identity fraud assistance team to help customers affected by fraud.

-- Offers zero liability for fraud.

-- Offers next-day card replacement in addition to 24/7 account suspension capabilities.

-- Offers free identity fraud insurance.

The results of Javelin's Card Issuer Scorecard Study:

Overall: Safest card issuers

1. Bank of America (Visa Platinum)

2. American Express (Blue from American Express)

3. (2-way tie) Discover (Discover Platinum), First National Bank Omaha (Platinum Edition Visa)

4. Citibank (Citi Platinum Select)

5. Navy Federal Credit Union (Platinum MasterCard)

Fraud Prevention: Top card issuers

1. Citibank (Citi Platinum Select)

2. (3-way tie) Bank of America (Visa Platinum), First National Bank Omaha (Platinum Edition Visa), Navy Federal Credit Union (Platinum MasterCard)

3. Discover (Discover Platinum)

4. JPMorgan Chase (Chase Platinum Visa)

5. Nordstrom (Platinum Visa)

Fraud Detection: Top card issuers

1. American Express (Blue from American Express)

2. U.S. Bank (U.S. Bank Visa Platinum

3. Bank of America (Visa Platinum)

4. Discover (Discover Platinum)

5. (3-way tie) Capital One (Capital One Platinum MasterCard), First National Bank Omaha (Platinum Edition Visa), Wachovia (Wachovia Visa)

Fraud Resolution: Top card issuers

1. (12-way tie) American Express, Bank of America, Capital One, Citibank, FNB Omaha, HSBC, National City, Navy FCU, RBS National, State Farm Bank, Target, Wachovia

2. (8-way tie) BB&T, Commerce Bank, Discover, Nordstrom, Sun Trust, U.S. Bank, WaMu, Wells Fargo

3. (3-way tie) Fifth Third, GE, USAA

4. Advanta

5. JPMorgan Chase

Key findings from the report

-- Many issuers are not providing consumers with the ability to specify limits or prohibitions on particular types of account activity. Only 24% of card issuers provide user-defined limits and/or prohibitions (UDLAPs) on cash advances.

-- More than half (56%) of top card issuers still require full nine-digit Social Security numbers when interacting with customers, whether by phone, Internet or mail. This is a risky practice that unnecessarily increases the customer's exposure to identity fraud.

-- The number of issuers offering transaction alerts for transactions such as payment past due, new account set up, foreign transactions and replacement cards is a missed opportunity for issuers.

-- The lack of alerts for changes to personal information makes issuers especially vulnerable to new accounts fraud and account takeover. Only 16% of card issuers provide an alert for physical address change.

-- 84% of issuers report having a data breach resolution plan in place, given the ever-increasing awareness of incidents such as the TJX breach. Considering the tremendous risk to brand posed by a security breach, it is imperative that any issuer appropriately handle customer notification and assessment in the event that a breach occurs.

Where the industry can improve -- stronger fraud prevention and detection

To date, issuers have provided consumer security guidelines, multi-factor log-in authentication and online purchase authentication. However, this does not go far enough. Issuers have an opportunity to do better in prevention and detection.

Issuers can strengthen their brands and increase customer loyalty by placing some of the responsibility into the hands of their customers, specifically, by implementing UDLAPs on specified activities and dynamic, two-way alerts for suspicious transactions. Customers must also be given greater authority over their user profiles and have the ability to receive alerts for any high-risk changes to their records or any activity that they have defined as abnormal.

Javelin's research found that customers know their own spending habits best and can set the appropriate levels of security when armed with the ability to impose restrictions on their own accounts. "Consumers play an essential role in security, detecting nearly half of all identity fraud cases," said Rachel Kim, Javelin Risk & Fraud Analyst. "Consumers want to be involved in protecting their accounts, with 60% viewing this as a duty they share with their financial institution."

What consumers need to know

Because fraud can be committed through so many methods, consumers are advised to utilize a variety of the most effective measures to protect themselves. Note to editors: Javelin has prepared a document entitled "How Consumers Can Protect Themselves from Identity Fraud," which includes ways to avoid becoming a victim, ways to detect fraud, stop criminals and lower your liability, and ways to resolve identity fraud. It is available upon request or here.

The most comprehensive research on consumer-facing identity fraud features

Javelin conducted the most rigorous and comprehensive research on consumer-facing identity fraud detection, prevention and resolution features to date. Javelin ranked the nation's top 25 credit card issuers on the services and measures they have implemented in partnership with consumers to protect against identity fraud. It analyzed data supplied by the issuers' customer service representatives (CSRs) and consulted information available on card issuers' Web sites. Javelin researchers validated the process with firsthand reviews of actual features in selected cases.

The research employed a multi-disciplinary approach: statistical analysis, mystery shopping with senior level customer service representatives, and monitoring and review of features and policies on card issuer Web sites. The prevention and detection categories were weighted more heavily than resolution due to the greater potential benefits and cost savings.

For More Information

Additional information and a copy of the complete July 2007 Card Issuers' Identity Safety Scorecard, as well as other Javelin reports, are available at www.javelinstrategy.com/research or by calling (925) 225-9100 x26.

About Javelin Strategy & Research

Javelin is the leading provider of independent, industry-specific, quantitative research and strategic direction for payments and financial services initiatives. www.javelinstrategy.com.

(1) Javelin Strategy & Research, 2007 Identity Fraud Survey Report, February 2007.

---

It is nice to see a demonstration showing how easy it would be to knock out a substantial amount of account application identity theft. The reality is, (as was discussed in the posts Suing the Creditor For Liability and Identity Theft Protection For Healthcare Companies) the suggestions coming from Javelin may not protect a consumer from becoming a victim of Synthetic Identity Theft. The best protection for consumers would be not providing credit reports to creditors solely based upon a social security number. Like a consumer wishing to order their own report, the creditor should be required to submit a full set of PII and answer a consumer generated security question. The answer to the security question would be provided during the application process. The security question and answer would be on file with the credit bureau.

Secondly, the creditor should be required to run a skip trace and verify the identity of the consumer. If the identity does not match exactly, the creditor could either deny the application or request evidential documentation to verify the consumer's PII.

Third, making the creditor pay for any remediation services needed by a victim as a result of the credit issuers actions would serve as a direct incentive for the credit issuer to utilize every reasonable measure to prevent a fraudulent application from being approved.

Identity theft will continue to be a factor in the P/L of credit issuers for many years to come. However, reducing the impact and the number of victims is an achievable and realistic goal.

Identity Theft Protection for Healthcare Companies

Expert Advice
By: Brian Lapidus, Senior Vice President of Kroll Fraud Solutions, www.krollfraudsolutions.com
Guest Blogger on Healthcare Blogmatica

The fact of the matter is that patients – and the law – demand that healthcare companies protect highly sensitive information from every possible threat. But in-house security options just can't keep pace with rapidly growing risks. After all, anti-virus software won't stop someone from taking medical records. A firewall can't help retrieve a stolen laptop. Below, I answer several questions that every healthcare organization should know.

Q: Why are healthcare organizations particularly vulnerable to data breaches?
A: There are several factors that make healthcare organizations particularly vulnerable to data breaches. Some of these factors include:
Sensitivity of data - The healthcare industry is responsible for maintaining its patients' most sensitive Personal Health Information. PHI is a treasure-trove for identity thieves.


Immense Data flow (masses of data flowing in and out) - A primary reason healthcare data security breaches occur is because facilities do not know where all instances of their patients' sensitive or confidential information resides within the network. Moreover, the danger does not stop at the hospital perimeter, but includes vendors that share or receive the data, as well as employees' and contractors' laptop computers and other portable storage devices.


Portability/Usage of EPHI (Electronic Protected Health Information) storage devices - Improvements in technology and the portability of patient data come at a cost to security. Devices used to store and access PHI include laptops; home-based personal computers; Personal Digital Assistants (PDAs) and Smart Phones; USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access; not to mention hotel, library or other public workstations and Wireless Access Points (WAPs).
Q: Who and/or what is at risk should a data breach occur? Are children, in particular, at risk? If so, why?

A: The credit reporting agencies do not knowingly maintain credit files on minor children. Therefore, if the Personal Identifying Information (PII) of a minor is at risk, it is impossible to place a "fraud alert' on his or her credit file to monitor and help protect the child from identity abuse. Many victims do not realize that their information was used until they apply for credit as an adult.

There are two different ways that an identity thief can use a minor's information. The first is "Minor ID Cloning" where a thief uses the minor's name and social in combination with a fraudulent address and date of birth to apply for credit. Once the credit bureau receives an application for credit, that begins the minor's credit history and the child "becomes" the age of whatever information the thief supplied on the application for credit.

The second form of minor identity theft is "Minor ID Combining" where a thief uses the minor's social security number in combination with the thief's name and date of birth.

The detection and repair of minor identity theft is a time consuming and difficult process.

Q: What should healthcare organizations be doing to better protect the personal information of children and all patients?

A: Awareness of data-breach methods and ways to thwart an attack are key to reducing exposure. Following are some simple steps to elevate awareness and establish a better defense:
Educate employees about appropriate handling and protection of sensitive data. Have sanctions in place for employees found not following proper guidelines. Both are HIPAA requirements.
Consistently enforce policies and procedures, physical safe guards, and IT security. All three are required by HIPAA.
Review and revise physical security practices as needed in both bricks and mortar and virtual operations. Address all the critical areas, such as who can leave the office with patient's PHI, where sensitive data is stored and destroyed, who has access to sensitive data, and whether employees are required to surrender keys and badges upon leaving the company's employ.
Q: What are the top three things healthcare organizations can do to protect themselves pre-breach? Post-breach?

A: Pre-Breach
Designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity's privacy practices as required by the HIPAA Privacy Rule at 45 C.F.R. § 164.530(a).
Covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. There may be situations that warrant such offsite use or access, e.g., when it is clearly determined necessary through the entity's business case(s), and then only where great rigor has been taken to ensure that policies, procedures and workforce training have been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA Privacy Rule. Covered entities must develop and implement policies and procedures for authorizing EPHI access in accordance with the HIPAA Security Rule at §164.308(a)(4) and the HIPAA Privacy Rule at §164.508. It is important that only those workforce members who have been trained and have proper authorization are granted access to EPHI.
Partner with a corporate breach and data security expert to map a breach response strategy and plan. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the HIPAA Privacy Rule at 45 C.F.R. § 164.530(f).
Post-Breach
Have a relationship with a corporate breach and HIPAA data security expert so that any investigation can begin immediately and affected individuals will be notified in a timely manner. Collaborating with a company that can investigate, notify, and assist breached individuals goes a long way to avoid loss of brand integrity.
Detail who is in charge of any internal investigation, and who will speak to the police and media. Notify your corporate breach and data security expert partner there is a security issue.
Maintain a good relationship with local, state, and federal law enforcement throughout the investigation. A positive report about a healthcare provider's cooperation with law enforcement goes a long way toward maintaining brand integrity.
Q: Describe a client in this industry who benefited from your service.

A: A healthcare provider lost backup tapes and disks which contained personal information of 365,000 patients. The personal information exposed included patient's names, physicians' names, addresses, date of birth, patient financial information, insurance data, diagnoses, prescriptions, and in some instances, lab results. The tapes also contained personal information of deceased individuals and minors who had received treatment at their facility. Kroll was hired to notify these individuals of the loss of information and to provide licensed investigators to respond and educate disturbed callers on how they could protect their personal information as well as that of minors and deceased loved ones. In addition to consultative services, the investigators provided assistance to individuals who had fallen victim to identity theft as a result of this incident, and helped these individuals regain their pre-theft identity status.

Q: What are the latest trends in security breaches at healthcare organizations?

A: I'll provide two examples that discuss two of the latest trends, one focusing on a healthcare payer and the other focusing on a healthcare provider.

Healthcare Payer
A large commercial healthcare insurance company experienced a data breach as a result of a laptop being stolen from an employee's car. The employee did not follow the corporate policies for protecting member data which resulted in exposing Personally Identifiable Information (PII) for 38,000 plan members. The information compromised included names, addresses and Social Security numbers and health related data. Kroll was hired to provide notification and consultation to impacted individuals. Additionally, for individuals who had fallen victim to Identity Theft as a result of this incident, Kroll provided licensed investigators to assist those individuals in resolving the issue and returning their identity to its pre-theft status.

Healthcare Provider
A hospital while under an expansion of its IT system, discovered there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of patients, and of the parents or guardians who were listed as the main policy holders with the health insurance carrier. This personal information included names, addresses, social security numbers and patient (minors) birth dates.

The second database contained personal financial information, unencrypted bank account and routing numbers pertaining to individuals who had donated to the hospital. Kroll was hired to provide notification and consultation to impacted individuals. Additionally, for individuals who had fallen victim to Identity Theft as a result of this incident, Kroll provided licensed investigators to assist those individuals in resolving the issue and returning their identity to its pre-theft status.

If you or your company would like to discuss a particular identity theft protection solution or issue, please visit www.krollfraudsolutions.com to get additional information or to contact a Kroll Fraud Solutions specialist.
Posted at 11:57 PM in HIPAA, Privacy, Regulations | Permalink

Technorati Tags: credit fraud, hipaa, id theft, privacy

---

Graphic Courtesy Bankrate.com

In terms of the risk to minor's and identity theft, what is described above as "Minor ID Combining" has been labeled synthetic identity theft. Synthetic Identity Theft, as opposed to True Name Fraud, uses a piece of a consumer's identity but not the entire identity (True Name Fraud). Tracking the damages of Synthetic Identity Theft is difficult. Consumer's may not discover they have become a victim by the usual route of ordering a credit report. Why? The credit bureaus produce what are called sub-files. The bureaus pretend that this does not occur yet everyone knows that it does indeed occur. The sub-file is produced by querying all credit information connected to a Social Security Number (SSN), (but not necessarily a name). When a creditor requests a credit report based solely upon the SSN, all the information appears. When the consumer requests their own credit report, they must provide a full set of PII. The report that is produced using a full set of PII is of course more accurate due to better filtering. The consumer usually finds out about Synthetic Identity Theft due to a creditor running the SSN in a skip trace and contacting the consumer to verify an application (often in a similar or all together different name) or to ask about a delinquency.

Children are particularly vulnerable to synthetic identity theft because their SSN is fresh. The sub-file will be produced (later leaving the fraudster looking like the consumer instead of the consumer who was issued the number) and the child or child's parents will have no means to discover what is happening until the minor attains legal status and requests credit the first time.

The bureaus could cease being a contributor to fraud by requiring the same PII inputs from business as they do from the consumer or vice versa, allow the consumer to request a credit report with only a SSN. Given the peril of the latter suggestion, (fraud and privacy issues) the bureaus should require a complete set of PII for any credit report request. If the name, address, and SSN does not match the application, the creditor should decline the request for credit. So much for easy credit, huh?


Graphic Courtesy McMaster University

In re: medical ID Theft
The rights that a consumer has under HIPAA include:

• The right to access your medical records


• The right to ask for amendment of your medical records, and


• The right to have your request for amendment added to the records.


• The right to have an accounting (or history) of disclosures.

All covered entities must post these rights on site and make them available to the consumer.

The World Privacy Forum studied medical identity theft in depth and published their research along with suggested policy changes in 2006.

More of the WPF's work can be found here.

Other resources include:
Privacy Rights Clearinghouse
Health Privacy Project
HIPAA FAQ'S from the US HHS Department