Blue Ridge Shredding. Service in 24 Hours!
about usOur ServicesShredding PricingWhy ShredShredding LawsContact Us
Your Security is our Job.  Inquire Now about Shredding. Watch our shredding process!Know the shredding laws. Are you at risk?What should be shredded.

FTC Credit Rule
Could Signal
More Shredding

The Federal Trade Commission is seeking comments on a proposed rule that would relate to the Fair and Accurate Credit Transactions Act (FACTA) and the Fair Credit Reporting Act (FCRA).
read more >>>

Iron Mountain Lost Worker Data
Lost computer tape puts 600,000 Time Warner employee records at risk of identity theft.
Time Warner announced Monday that 600,000 of its employee records were lost on the way to a secure storage facility.
read more >>>


May 24th, 2005
FTC Credit Rule Could Signal More Shredding
By Dan Sandoval
Recycling Today

The Federal Trade Commission is seeking comments on a proposed rule that would relate to the Fair and Accurate Credit Transactions Act (FACTA) and the Fair Credit Reporting Act (FCRA).
The proposed rule, currently known as 16 CFR Part 682, relates to the "disposal of consumer report information and records, pursuant to the Fair and Accurate Credit Transactions Act of 2003."
According to a news release issued by the FTC, the purpose of the rule is to "reduce the risk of consumer fraud, including identity theft, created by improper disposal of any record that is, or is derived from, a consumer report."

The proposed rule requires that any person or company possessing or maintaining covered consumer information "take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." The proposed standard for disposal is "flexible to allow covered persons to make decisions appropriate to their particular circumstances," according to the FTC.
Several types of records are specifically mentioned in the proposed rule, although the term "disposal" is not clearly defined.

Records covered include, "Any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. [This] includes all types of records that are consumer reports or contain consumer information derived from consumer reports [that] identify any particular consumers."

Regarding destruction methods, the proposed rule states that entities possessing the consumer information "take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."

The FTC has not favored any single technology, noting that such technology is changing rapidly. "The Commission recognizes that there are few foolproof methods of record destruction," the rule states. "Accordingly, the proposed rule does not require covered persons to ensure perfect destruction of consumer information in every instance; rather, it requires covered entities to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The Commission expects that entities covered by the proposed rule would consider the sensitivity of the consumer information, the nature and size of the entity’s operations, the costs and benefits of different disposal methods and relevant technological changes. ‘Reasonable measures’ are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training."

While standards for destruction are not set, examples are given, however. These include, "Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed," and, "Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed."

The Commission has set its comment period to end in mid-June. "The FTC expects that entities subject to the proposed rule will make decisions about what measures are reasonable based on the sensitivity of the information at issue, the costs and benefits of different disposal methods and relevant technological changes," the FTC news release states. "The proposed rule’s flexible standard also is intended to minimize the burden of compliance for smaller entities."

The Commission is seeking comment on all aspects of the proposed rule, with a deadline of June 15, 2004.
Text of the rule can be found online at the FTC’s Web site at

May 2, 2005
Iron Mountain Lost Worker Data
Lost computer tape puts 600,000 Time Warner employee records at risk of identity theft.

Time Warner announced Monday that 600,000 of its employee records were lost on the way to a secure storage facility.

The records were stored on a computer tape and included the names and Social Security numbers of current and former Time Warner employees. The data also included information on the dependents and beneficiaries of the employees dating back to 1986.

“We take the security of our employees’ personal information extremely seriously and we deeply regret that this incident occurred,” said Larry Cockell, Time Warner’s Chief Security Officer.

Time Warner is working with the Secret Service to investigate the data loss. The company reports contractor Iron Mountain lost the tapes while they were in transit to a secure storage facility. Iron Mountain officials weren’t immediately available for comment.

Shares in Boston-based Iron Mountain dropped $0.38 to close at $29.32

Time Warner is advising employees to check their credit reports at Experian and Trans Union. But it said it has no evidence the files are being used to commit identity fraud. The files left Time Warner for storage on March 22.

More than 1.39 million Americans learned that they may have been the subject of identity theft in the last three months.

HSBC, a U.K. bank, recently informed 180,000 of its customers that information the company kept on them had been exposed to potential criminals (see HSBC Warns 180,000 of Fraud).

Earlier the same week, data-collection firm LexisNexis announced it would mail letters to 280,000 Americans whose information had been compromised (see LexisNexis Leaks 280,000 IDs). Before that, the San Jose Medical group lost 185,000 patient records and Social Security numbers when someone walked out of the hospital with a computer under each arm.

The recent rash of identity theft started with ChoicePoint’s announcement in February that it had lost detailed data on 145,000 people at the hands of a low-tech fraudster (see The Choicepoint Incident).

Reuters contributed to this report.

November 22, 2004
HIPAA Gavel Drops — A Message to Healthcare
By Mike Scott
Radiology Today
Vol. 5 No. 24 Page 38

An employee of a Seattle cancer center became the first privacy law prosecution. The case also could have been prosecuted as identity theft and credit card fraud. That it became a HIPAA case wasn’t a fluke.

A man pleading guilty to violating HIPAA’s confidentiality rules could serve as a wake-up call for many in the healthcare industry.

In mid-August, Seattle phlebotomist Richard Gibson, 42, admitted that he had obtained personal protected health information about a cancer patient that gave him the ammunition to use four of that patient’s credit cards in racking up more than $9,000 in charges. Gibson was an employee at the Seattle Cancer Care Alliance and in essence performed an identity theft on the unsuspecting patient to buy video games, jewelry, and other items, according to the U.S. Attorney’s Office.

Plea Deal
Federal prosecutors worked out a plea deal with Gibson. Earlier this month, he was sentence to 16 months in prison (plus three years of supervised release) and ordered to pay more than $9,000 in restitution. U.S. District Court Judge Ricardo S. Martinez called Gibson’s use of a cancer patient’s health information to perform credit card theft “some of the most deplorable [behavior] I’ve seen in 15 years on the bench.”

The fact that the federal government elected to prosecute Gibson for violating HIPAA rules was surprising and unique, according to many law experts. If the case had followed a more typical scenario, Gibson would have been prosecuted for credit card fraud and identity theft. But because he was employed by the cancer center—a “covered entity” under the privacy rule—HIPAA was invoked. That should send a message to hospitals and healthcare systems and practices across the country.

Brian Annulis, an attorney with the Michael Best & Friedrich LLP law firm headquartered in Chicago, says this move by the U.S. Attorney’s Office should tell healthcare administrators that the government is serious about HIPAA. He believes this is the government’s strongest legal message yet concerning a HIPAA infraction.

“HIPAA includes a criminal provision that hospitals would not be subject to, but they could be subject to the civil provision,” says Annulis, whose firm specializes in working with healthcare clients around the country. “Identity theft is something that has been rearing its ugly head in our country for a few years now, but the fact that the government decided to use HIPAA means they wanted to get their point across and to get some media attention. If this was just a regular $9,000 identity theft case, it wouldn’t even make the newspapers, but this was meant to send a ripple throughout the industry.”

Annulis says the civil monetary penalties handed out by the government to healthcare entities cannot exceed $1,000 per offense or $25,000 total per year, but the penalties in a civil suit brought against a healthcare entity by an individual are limitless—and, in certain cases, could mean a multimillion-dollar lawsuit depending on how the crime was committed and how much money or credit was stolen.

This case isn’t the first time a hospital or healthcare employee has used information obtained from their job to steal from a patient via identity theft. However, Annulis says this is the first time the government has prosecuted a case invoking HIPAA’s privacy component.

What’s It Mean?
So what does this case mean for hospitals, radiology practices, and the healthcare industry in general? First, it is critical for hospital administrators to review their internal HIPAA compliance plans and communicate to all employees what the plan entails and the penalties that could be levied against an individual who doesn’t follow HIPAA guidelines. The same applies to imaging centers and physician practices.

“The federal law only requires that healthcare facilities go through a HIPAA training program up front, but we tell our clients—whether physician practices, home healthcare organizations, or hospitals—to take a HIPAA training program annually. We also tell them to educate their employees about any changes,” says Mike Fleischman, vice president and principal of Gates Moore & Company in Atlanta, a consulting firm that provides strategic and operational physician practice management and tax and accounting services.

The government indicated that the serious nature of this crime played a role in the penalties it was seeking. “Too many Americans have experienced identity theft and the nightmare of dealing with bills they never incurred. To be a vulnerable cancer patient, fighting for your life and having to cope with identity theft is just unconscionable,” says U.S. Attorney John McKay. “This case should serve as a reminder that misuse of patient information may result in criminal prosecution.”

U.S. Attorney Public Affairs Officer Emily Langlie says government lawyers examined the statutes that could be brought against Gibson, and it was determined that the amount of time served and penalties levied were similar whether it was tried under HIPAA or under credit card fraud laws. Since Gibson was a phlebotomist who blatantly stole from a person who was relying on the healthcare system to treat a serious ailment, Langlie says the HIPAA angle was appropriate. “There is always an interest in deterrence, and this is certainly a case that had more attention than it would have had it been tried under a different statute,” she says.

Warning Shot
While some industry observers speculate whether this case was prosecuted under HIPAA for publicity reasons, many feel it is the first of numerous such cases. The current privacy regulations have been in place since last April and additional security regulations will be added in 2005.

Dan Rode, vice president for policy and government relations for the American Health Information Management Association, says that as of September, the Office of Civil Rights has turned a number of cases, perhaps as many as 30 to 40, over to the U.S. Justice Department that could be prosecuted under HIPAA laws. Rode also says the Department of Justice looks at identity theft complaints that arise out of a healthcare setting, gain additional evidence, and formulate how the case should be prosecuted. “This may be the first of a number of cases that are treated in this manner,” Rode says. “What this case in Seattle has shown us is that the prosecution under HIPAA is accepted well.”

Annulis says it is virtually impossible for healthcare administrators to prevent a HIPAA violation if an employee decides to break the law. But any civil penalties levied against that entity could be significantly lessened or dropped altogether if investigators determine that facility administrators took reasonable steps to prevent the violation. Such steps include conducting a complete criminal and credit background check on all new employees. These checks cost money, but Fleischman says it is a basic function of the hiring process these days that all organizations, whether in healthcare or not, should take. “We have laws here in Georgia where certain violations can be prosecuted under HIPAA and state ID theft [statutes],” he says.

Fleischman adds that some healthcare organizations are still ill-equipped to deal with HIPAA regulations and that some are buying privacy manuals for the first time. He notes that one area that could incite a HIPAA violation and warrants attention is security. “Organizations have to make sure they are up-to-date with their internal security standards,” he says. The electronic security standards will be enforced beginning next year.

Preparation is more than half the battle, according to Annulis. And healthcare organizations should understand how serious the government is taking the Seattle case because of the lightning speed with which the case moved through the courts. “What you want to be able to do when the FBI or the police come to your door is cooperate with them and show them your compliance plan and how every employee has documentation of the plan,” says Annulis. “They want to be able to say, ‘We did all that we could.’”

No Track Record
The bottom line is that privacy compliance is a subject that is still unclear and, from a legal standpoint, this compliance still represents unchartered waters. Regardless, it is critical that healthcare administrators heed the warning shot that the government has fired in pursuing the Gibson case under HIPAA.

“For the first time, we have a case that demonstrates the government’s interest in pursuing the HIPAA law,” says Rode. “That is significant for every organization [in the industry].”

— Mike Scott is a freelance writer who has contributed to more than 70 magazines, newspapers, and Web sites on numerous topics—from business to healthcare to technology. He lives in Waterford, Mich.

December 2004
Alleged Failure to Adopt Privacy, Security Safeguards Leads to FTC Enforcement
Reprinted from the issue of December 2004 REPORT ON PATIENT

The Federal Trade Commission's first two enforcement actions for violations of the Gramm-Leach-Bliley Act (GLB) are a cautionary tale for covered entities (CEs) under HIPAA. They underscore the risk of an enforcement action if organizations have a compliance program that is window dressing and fails with the "meat and potatoes" of assessing privacy risks and adopting safeguards.

On Nov. 16 the FTC charged two mortgage companies with violating GLB, which requires financial institutions to protect the privacy and security of consumer information. GLB provisions, which mirror the HIPAA privacy rule in key areas, took effect in May 2003.

In separate administrative cases, FTC alleges that Nationwide Mortgage Group, Inc. of Fairfax, Va., and Sunbelt Lending Services, Inc., a subsidiary of Cendant Mortgage Corp., headquartered in Clearwater, Fla., violated GLB's so-called safeguards rule. "The Safeguards Rule” requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information," FTC says. For instance, financial institutions must designate a high-level employee to oversee the privacy and security program; conduct a risk assessment; deploy safeguards to control the risks identified in the assessment; test and monitor the risks; sign written contracts with "service providers" —the GLB version of business associates — and periodically update their security programs.

The FTC alleged that both mortgage companies failed to comply with GLB's basic requirements. For example, the mortgage companies allegedly didn't assess the risks to sensitive customer information or install safeguards to minimize them.

Also, FTC alleged that Nationwide failed to carry out safeguards to protect customers' names, Social Security numbers, credit histories, bank account numbers, income tax returns and other sensitive financial data. Nationwide allegedly didn't train employees on information security, oversee its loan officers' handling of customer information, monitor its computer network for soft spots or provide consumers with privacy notices describing how they use and disclose consumers' personal information.

Sunbelt allegedly neglected to provide online customers with privacy notices and failed to oversee the security practices of its service providers and loan officers working from remote locations around Florida, FTC stated.

To resolve the allegations against Sunbelt, FTC negotiated a settlement designed to prevent ongoing GLB violations. The proposed "consent order" with Sunbelt requires (1) an independent professional to certify that its security program meets or exceeds the standards set forth in the consent order - at the six-month point and every other year subsequently, and (2) standard record- keeping provisions that enable the FTC to monitor Sunbelt's compliance. A consent order is not an admission of wrongdoing.

This is not the first time FTC has hit companies for alleged privacy violations. In one of the most high-profile privacy cases ever, the commission pursued Eli Lilly for sharing the names of several hundred Prozac users over the Internet. Eli Lilly's error was allegedly caused by an untrained, inexperienced programmer who was oblivious to Eli Lilly's information security and privacy policies and procedures, the lawyer says. FTC and Eli Lilly negotiated a settlement in the case.

December 21, 2004
Federal Reserve Board Joint Press Release
Board of Governors of the Federal Reserve System
Federal Deposit Insurance Corporation
Office of the Comptroller of the Currency
Office of Thrift Supervision

Agencies Announce Final Rules on Disposal of Consumer Information
The federal bank and thrift regulatory agencies today announced interagency final rules to require financial institutions to adopt measures for properly disposing of consumer information derived from credit reports.

Current law requires financial institutions to protect customer information by implementing information security programs. The final rules require institutions to make modest adjustments to their information security programs to include measures for the proper disposal of consumer information. They also add a new definition of "consumer information."
The agencies' final rules implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and include this new statutory requirement in the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (retitled the Interagency Guidelines Establishing Standards for Information Security), which were adopted in 2001.

The final rules will take effect on July 1, 2005.