Kelsey-Seybold Clinic patients in second breach or one multi-year breach?

Bob Dunn had an eyebrow-raising story on FortBendNow.com earlier this week. The story concerned recent grand jury indictments of 38 people involved in stealing identities to use for a payday loan scheme.

Dunn writes, in part:

Tracy Spencer-Gilmore, formerly with Kelsey Seybold Clinic, was one of 38 people indicted over the past several weeks in connection with an identity theft ring in which more than 500 people in four area counties were victimized, the Sheriff’s Office said in a statement Thursday.

The last of those indictments were handed down by a Fort Bend County grand jury earlier this month.

Among those indicted were Spencer-Gilmore and Chante Monique Small, a former HCA-Clear Lake Regional Medical Center employee. Both were charged in indictments with stealing patient information from their employers.

[…]

Sheriff’s detectives identified the Kelsey-Seybold and HCA-Clear Lake clinics as being among “possible sources of the stolen identities.”

Kelsey-Seybold Clinic, which is part of St. Luke’s Episcopal Hospital System, has 18 locations, including Clear Lake Regional Medical Center.

This is not the first report implicating Kelsey-Seybold Clinic. In March 2008, a story in the Houston Chronicle (archived copy here) reported that Kelsey-Seybold insurance analyst Kretia Lutriel Griffin had been sent to prison for her role in stealing patient information of 200 patients between October 2005 and March 2007. She sold their details to Aubrey Johnson. Johnson and others used the patients’ personal information to open credit accounts at Target, Wal-Mart and Home Depot.

One incident or two?

Neither Griffin’s nor Johnson’s name appear in this latest news story, and it is not clear whether the latest indictments are all part of a ring involving employees of Kelsey-Seybold that took place over a number of years or whether the newly revealed criminal activity involving Kelsey-Seybold Clinic and Clear Lake Regional Medical Center employees is unrelated to the previous confirmed breach. Back in March, Vince Edwards, the investigating U.S. Secret Service agent on the Griffin case said that the agency was working on more indictments connected to the 2007 fraud case, and the federal prosecutor on that case, Assistant U.S. Attorney James Buchanan, was quoted as saying that

“This was a wide-ranging, far-reaching criminal conspiracy that did a lot of damage to a lot of people and had the potential to do damage to a lot more.”

Did their ongoing investigations reveal the payday loan scheme?

Kelsey-Seybold Clinic reportedly has about 350,000 patients. The Clinic had notified 1600 patients whose data Griffin had access to.

As yet unanswered questions

If Griffin was reportedly responsible for the theft (and misuse) of 200 patients’ data, how many additional patients have had their data stolen or accessed by these other employees? And how many patients, total, have had their data misused?

What has Kelsey-Seybold Clinic done to notify or assist those whose data were accessed or misused? There is no statement on their web site about the latest report or how many patients they have notified because of the latest revelations.

When did the Clinic first discover that there was a problem and what are they doing to prevent future problems? The newest indictments lead to the tentative conclusion that the Clinic has had at least three dishonest employees over the past few years. Griffin had no criminal background that would have shown up in any routine pre-employment check, and it may be the same for the two newly indicted employees, but how is it that such massive inside theft was occurring and was not detected by the hospital’s own internal security and checks?

The Clinic did not respond to phone calls requesting a statement or clarification about these latest news reports.