It’s not that often that we find out about extortion attempts related to data breaches, so when we do, I try to follow up on them. Here’s a follow-up to an extortion attempt involving Xavier University that I previously covered on this blog. Kimball Perry reports on a very poorly executed crime:
Recently released from prison, Miller Beckham III was looking for some cash.
He thought he’d hit the jackpot when he found a cache of documents that detailed medical and other personal information of several Xavier University athletes. Beckham told XU officials he’d gladly return the documents – for $20,000.
What ensued was what the judge called remarkably dumb moves by Beckham that culminated Tuesday when Beckham pleaded guilty to extortion and was sent to prison for two years.
[…]
XU officials said the records were stolen from the car of a coach, but Assistant Prosecutor Andy Berghausen said a Xavier cross country coach misplaced the records, which also include the medical histories of the athletes’ families. Coaches take athletes’ medical histories with them to sporting events in case of injuries or if they have to administer medication.
Read more on Cincinnati.com. You’ll be shaking your head and muttering to yourself about the stupidity of Mr. Beckham using his own phone to call in the extortion attempt and his cooperatively dropping off samples of the documents, thereby allowing witnesses to see him.
What I also find noteworthy is that the breached records included medical information. Once again, we see schools in possession of sensitive information but they are not necessarily covered by HIPAA or HITECH. For the umpteenth time, I repeat: it shouldn’t matter what type of entity is in custody of sensitive information – if they lose control of it, they should be required to notify those affected, etc. In this case, there was no obligation to notify under FERPA, no apparent obligation under HIPAA, and I don’t think that Ohio’s breach law covers paper records.
Can you hear me now, Congress?