As I’ve noted here and on PHIprivacy.net a number of times, sometimes the only way we seem to find out about breaches is when government attorneys issue press releases that refer to breaches. Often, such press releases lack the kind of details we need to help us understand what type of breach occurred, how many it affected, and so on.
The U.S. Attorney’s Office in New Mexico prosecuted a case that provides a useful example of “unknown knowns.”
On January 24, 2012, they announced that Douglas Kuester had been indicted on January 18, 2012. According to the indictment, between February 2007 and March 2010, and as a tax preparer, Kuester had filed fraudulent tax returns using stolen information from an unspecified number of individuals. He used their names, dates of birth, and Social Security numbers. The refunds were directed to bank accounts that he either controlled or had access to.
Kuester pleaded guilty May 24, 2012, and was sentenced on November 18 to 48 months in prison and $911,000 restitution.
But not one of the official press releases gave us any clue as to how and where Kuester obtained the stolen identity information or how many victims there were. So I wrote to the U.S. Attorney’s Office, who kindly sent me Kuester’s plea agreement and the sentencing memorandum. They also informed me that Kuester obtained much of the “stolen” identity information from former clients for whom he had prepared tax filings. The sentencing memorandum makes it clear, however, that not all former clients were necessarily innocent victims, and some may have been co-conspirators in the scheme.
So what do we do with reports from complex cases like these? I wish the government would provide more details in their press releases as to how many people had their details or data stolen, and/or how the criminal obtained their information. Is that really too much to ask for?