San Mateo Medical Center is offering current and former employees three years of identity theft protection services because someone they hired for their payroll unit failed to disclosed a prior conviction for identity theft and they didn’t discover the conviction until after the employee had access to payroll data.
Although an investigation disclosed no evidence of employee information being misused, the fact that the employee had access to names, contact information, Social Security numbers and date of birth triggered their prudent response to protect employees.
You can read their letter here (pdf).
As a result of the incident, SMMC has revised its background checks procedure, but they don’t actually explain what went wrong here. Did they start the employee before they got the results of the background check or did the background check fail to uncover the conviction, or…..?
Update: idRADAR reports that the problem occurred because of a delay in the receipt of fingerprint information. So it appears SMMC did the start the employee before getting all the background check process completed.