By JOHN RUSSELL
THE INDIANAPOLIS STAR
April 20, 2008
INDIANAPOLIS -- A computer server containing Social Security numbers and
other personal information of 700,000 people was stolen last month from
a Southside debt-collection bureau in what appears to be the largest
computer security breach ever in Indiana.
The information includes customer-billing records for about 100 Indiana
businesses, including Citizens Gas & Coke Utility, St. Vincent Health
and Methodist Medical Group.
The exposed data was limited to past-due billing information that had
been turned over for debt collection to the Central Collection Bureau,
the agency announced Friday. Customers whose accounts were in good
standing were not affected.
The bureau collected overdue bills on behalf of dozens of Indiana
companies, including hospitals, medical and dental offices, window
companies, water-conditioning companies and flower shops.
"We're obviously heartsick about this," said Chet Klene, the collection
agency's president. "We've been in business since 1972, and nothing like
this has ever happened before."
He said the missing computer server contained personal billing
information that was protected by two passwords but was not encrypted.
He said the server had been stored behind three locked doors.
Klene said the break-in occurred on Good Friday, March 20. The first
employee arriving at work that day noticed the break-in and immediately
called the Indianapolis Metropolitan Police Department, which
investigated but has not found the server. The collection agency has
notified companies whose billing records have been compromised, Klene
Joan Antokol, a lawyer specializing in computer security at Baker &
Daniels, an Indianapolis-based law firm, said the breach was the largest
she had seen in Indiana. No larger breaches in Indiana are included
among the hundreds of incidents listed on Privacy Rights.org, a national
"It's a problem that continues to grow," Antokol said. "There are new
cases reported all the time. It's a serious problem."
Still, this breach does not rank among the top dozen or so nationally.
Retailer TJ Maxx reported that as many as 100 million accounts were
compromised as a result of thefts and hack-ins since last year.
The U.S. Department of Veterans Affairs said information on more than 28
million veterans might have been exposed after a laptop was stolen from
an employee's house in 2006. Monster.com, a Web-based job service, said
information on more than 1 million job seekers had been stolen last
year, containing names, addresses, phone numbers and e-mail addresses.
A spokesman for Citizens Gas said its missing records were past-due
billing statements for 51,000 former customers that it was unable to
find on its own. The information included names, last known addresses,
Social Security numbers, dates of service and amount due.
Citizens has no way of notifying the former customers because their
whereabouts are unknown, spokesman Dan Considine said.
"We certainly take this very seriously, any time there is a security
breach, and we hope it gets cleared up very soon," he said.
St. Vincent Health said it had not given any billing business to Central
Collection in more than three years, so all of the missing billing
information is several years old. The stolen information included
patient billing information for St. Vincent Hospital and affiliated
physicians' practices, spokesman Johnny Smith said.
"We're committed to protecting confidential information of our patients.
We regret any inconvenience to them," Smith said.
Billing records of about 62,000 patients of Methodist Medical Group, a
physicians' group owned by Clarian Health, also were missing, as are the
records of thousands of patients at Howard Regional Health System in
The break-in is being investigated by IMPD and the Indiana attorney
Subscribe to the InfoSec News RSS Feed