By Todd Weiss
May 24, 2006
About 1 million blood donors in the Missouri-Illinois Blood Services
Region of the American Red Cross were warned last week that personal
information about them could have been stolen earlier this year by a
former employee and might have been used in identity thefts.
The former worker had access to 8,000 blood donors in a database she
used in her job, all of whom were notified by mail of possible
identity theft problems on March 17, according to the agency. But
after the original warning letters went out, the Red Cross decided to
expand the identity theft warnings to all 1 million donors in the
Missouri-Illinois region because of concerns that she may have
accidentally accessed other records in the larger group.
The warnings to the 1 million donors are being made through the media
and the agency's Web site, not through individual letters.
At least four of the donors among the original 8,000 in the donor
database were victims of the data-theft scheme, said Jim Williams, a
spokesman for the regional agency. An investigation is continuing to
determine if any other donors have been affected.
The thefts occurred when the former employee, a telephone blood-drive
recruiter, entered random numbers of past donors into her 8,000-donor
database, then was able to access the names, Social Security numbers,
phone numbers and birth dates of potential victims. The database uses
unique donor numbers to store records for each person, and by entering
random numbers, the recruiter was able to access the records of the
The former employee, 20-year-old Lonnetta Shanell Medcalf of St.
Louis, then allegedly opened credit card accounts at several stores
using the stolen information and made purchases valued at more than
$1,000, according to a statement by the U.S. attorney's office in the
eastern district of Missouri.
Medcalf began working at the Red Cross branch in October and was fired
on March 2, when the incidents were discovered, Williams said. Medcalf
had 8,000 donor contacts in her database out of more than 1 million
donors in the region who were not affected by the data thefts. Her
case is scheduled for trial on June 19.
The Red Cross offices in the region last week changed the database
software to strictly limit access to any Social Security numbers in
the future, Williams said. Only names, phone numbers and birth dates
are now accessible by blood drive recruiters.
Medcalf has been indicted on three felony counts of aggravated
identity theft and one count of credit card fraud in connection with
the incidents, according to the U.S. attorney's office.
The Red Cross sent written notifications of the data breach to all
8,000 potential victims on March 17, advising them to contact credit
bureaus to check their credit reports for any irregular purchases or
activities. The agency is reimbursing any of the affected 8,000 donors
if the credit reports can't be obtained for free. The agency also set
up a toll-free hot line to aid any identity-theft victims of the
incident and said it's taking additional security steps to ensure that
such an incident doesn't happen again. All staff members are being
reminded, for instance, that donors don't have to put their Social
Security numbers into their Red Cross donor records.
The Red Cross also apologized for the incident and said it is working
to improve security for such information.
If convicted, Medcalf faces a maximum penalty of 10 years in prison
and/or a fine of $250,000 for the charge of credit card fraud. Each
count of aggravated identity theft also carries a mandatory two years
in prison consecutive to the credit card fraud sentence.
"We feel like victims here as well, but the ultimate victims are our
donors," said Williams.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.