?

Log in

UWMC Data Theft Victim Community

Recent Entries

You are viewing the most recent 9 entries

January 20th, 2006

seattle61 @ 07:07 pm: WELCOME!!
If you've come to this page first, click on the "user info" link to the left for more information about this blog AND information on how to join.

Read the specific instructions I've given for this group that are contained there, or you may find you've been removed, and not understand why...either because you didn't follow joining instructions or posting guidelines.

And thanks for coming! I hope we can be a great help to one another.

seattle61 @ 04:57 pm: Official UWMC Data Privacy Update Web Site
The new website is up as promised.

http://www.uwmedicine.org/Facilities/UWMedicalCenter/CommunityAndNews/dataprivacyupdate.htm

However, there is nor real "news" here. So far it is just a FAQ to give us more info, I noticed that it does NOT give a couple of details I was able to obtain from their hotline.

1. what the data base was being used for --an internal audit

2. that it was a new employee who did something against protocol in terms of how or where the laptops were left because her boss was not available when she had some kind of problem.)


I need to go over things a bit more carefully to see if there is anything else to highlight.

I DID see that one of the data fields includes our place of birth, so I've called my state's vital records division, and asked for the person who is involved in fraud prevention...don't want them fraudulently obtaining a birth certificate.

They will be sending me a form to fill out. Once I receive it, I'll let you know if there are any concerns about whether that will really protect me...or if there are still loopholes.

January 19th, 2006

seattle61 @ 07:26 pm: UWMC website ready to fly--link available tomorrow!
Just got an e-mail from Ms Rubin, letting me know that they are just doing the final check of the website for us. She'll be sending me the link tomorrow. Yeah.

Kathleen Sellick also e-mailed me to assure me this was in the works. I've been very impressed overall with their responsiveness to my questions and concerns. I hope this is what we can count on for the duration.

seattle61 @ 04:48 pm: WARNING: Member UserID's are visible on information page
Looking at the community info page, I see that it lists members and watchers for the whole world to see.

I'm assuming you all have the good sense to pick a user name that won't be identifying AND not to divulge personal information on your own journal, if someone were to click on your id but even so...

IT WOULD BE MUCH BETTER IF YOU CREATED AN ID TO BE USED ONLY HERE--FOR YOUR OWN PROTECTION

I've checked with LJ support, and they tell me there is no way to hide members' userid's, even from non-members.

seattle61 @ 11:53 am: Prevent change of address
One way someone can get ahold of your banking and credit card information is through a false change of address.

The Postal Service's safeguard against this is to send a confirmation to both the old and new address. This doesn't seem good enough to me, since they could manage to pick that up out of my mailbox.

I was told this morning when I called the central number, that I can go to my local post office and put an alert on my account. As I understand it, this will mean I will be called if anyone tries to put a change of addreess in. Seems much more secure.

Info on the change of address and verification process
http://www.usps.com/communications/news/press/2005/pr05_046.htm

Info on ID theft, and what a thief can do with info.
http://www.usps.com/postalinspectors/IDtheft2.htm

January 18th, 2006

seattle61 @ 07:16 pm: called the hotline today--and heard from Ellen Rubin--Website in Process
Finally noticed that there is a hotline number to call...it was right there in the letter all along
206-598-2600. (ok, I didn't "finally" notice it...I got an e-mail from Ellen Rubin, UWMC privacy officer who pointed it out to me.)

The person who answered was VERY helpful. I must have been half asleep Friday night when I was watching the newes. I thought they'd said 16,000 patients were in the database on the laptops. It was only 1600!!! Boy we're part of a more exclusive club than I'd thought!!

I was also curious what exactly had happened...here's what I understand from what he told me.

The small (1600) sampling of names was for an internal audit. The sampling was "date" based, so I'm guessing everyone affected probably went in to the Travel Medicine Center sometime in the summer like me. A new employee was handling the laptops and boss was out of town..had some problems with server and no one to help her. So the laptops were left out with the information on them (though password protected), completely against normal protocol. The forced entry was via crowbar, per police.

Well, like I said, heard from Ms. Rubin today. She informs me that they ARE indeed working on setting up a website and will notify us as soon as it is ready. Very good news.

That's the latest.

January 17th, 2006

seattle61 @ 08:29 pm: Emailed the UWMC
I e-mailed Ellen Rubin, the UWMC's Privacy Officer. She's the one who signed the letter notifying us of the security breach. I guess I'm hoping they'll give us some assistance...like Boeing did for its workers. I sent her links to Boeing's documents...I would expect at least as much from UWMC.

Haven't heard anything back, but it has only been 1 day. They are probably still trying to figure things out..probably haven't even read my e-mail yet.

I'm still wondering why it took them 10 days to send us a letter. I was just looking at the docs online regarding the University of Texas security breach a couple years ago...they notified folks the day after it happened. Why did UWMC wait?

Sorry, not trying to bash them. I'm sure there are a lot of details that come into play. These are just observations and open questions that I think need to get answered.

seattle61 @ 10:52 am: What about my CURRENT credit card accounts
A friend brought up the fact that whoever gets this information could conceivably hijack our CURRENT credit card accounts, since they have all the "confirmation" information to be able to call and change an address and request a new card.

Doesn't matter that they don't know who you have cards with...they can just start calling and hope to hit paydirt. And with so many cards concentrated into a small handful of card issuers, it really isn't farfetched.

Doesn't matter if they don't have the card number. I've called many times without the number, and just given them all the security info...and I was in!

I called up all my credit card companies and asked if I could put some sort of "password" protection on my account. One of them had a random question like favorite sports team. Whatever. LImited number of choices there...they could hit it easily. I chose something a little more esoteric. One company added this on, in addition to all the info they already had on file (that the thieves now have)

However, one card company at first said there was no way to put a password protection on my card. I persisted, explaining that if the thieves have all the security information already, we had to find someoway to protect me.

Finally they indicated that I could create a fake "mother's maiden name". Bingo. So again, I came up with something that made sense to me, but would be very hard for someone else to hit upon. I also asked them to put in their notes the question that would help me remember (just in case).

Be sure to record all this new security info someplace safe so you won't be locked out of your own account!!

Also, make sure you record every conversation you have regarding this whole issue, and file by institution/company. Include date, the person you talked to, what you agreed upon, and any confirmation numbers they may give you.

I'm also recording the time it is taking me to get all this done. It seems like I should be reimbursed. Not sure if that is wishful thinking. ;-)

seattle61 @ 12:26 am: I put a fraud alert on my account at Experian Today
Once I did that I was immediately qualified to get a credit report online, which I've printed for my UW Data Theft File.

You only have to file 1 Fraud alert, and that goes out to all the other credit reporting agencies. However, Experian's site was most forthcoming about that giving me the immediate right to a credit report. Go to the link I've listed on the community blog for more information.

The next step was to purchase 3 in 1 monintoring. This will notify me within 24 hours if anyone checks my credit or a new account shows up on my credit. That way I don't have to obsessively purchase credit reports all the time. It cost 9.95 to buy just one month. I'm hoping by then, UWMC will step up to the plate like Boeing did for its employees and purchase monitoring for all of us. Boeing is paying for 3 years of monitoring.

If you want to see details of what Boeing did, see the link on our blog page.

Powered by LiveJournal.com