NEW YORK and SEAL BEACH, CA – August 22, 2011 – Identity Finder, LLC (www.identityfinder.com), a global leader in identity theft prevention and data loss protection (DLP), discovered that a website exposed documents containing hundreds of individuals’ health information and database files containing approximately 300,000 names and social security numbers of California residents who applied for workers' compensation benefits. Identity Finder notified the website’s owners, Southern California Medical-Legal Consultants, Inc. (SCMLC), of the breach on May 11, 2011 and SCMLC restricted access to all files within minutes of notification.
"Identity Finder is in a race against identity thieves," said Todd Feinman, CEO of Identity Finder. "If we don’t help companies discover exposed data, thieves will find them first and harvest social security numbers for illicit use or trade the knowledge of their existence so others can steal them."
The risk to victims’ is far lower than it could have been thanks to Identity Finder’s discovery and SCMLC’s remediation. Recent trends show that when unethical hacking groups find personal information, they are now more commonly posting that information to the internet for everyone to see and potentially download for identity fraud.
Security researchers at Identity Finder discovered several gigabytes of .dbf, .xls, .cdx, and .pdf files containing confidential information by using the Identity Finder DLP enterprise software and manually searching internet search engines for common keywords. The files were neither encrypted nor password-protected and some were cached by at least one major search engine. Identity Finder subsequently worked with Google to clear search engine caches and provided SCMLC with a comprehensive report generated by Identity Finder DLP software. SCMLC launched its own internal investigation and issued a press release.
Identity Finder analyzed the data using their sensitive data discovery software that automatically finds health records, social security numbers, and other types of confidential information. It found that the data contained patients’ confidential health records and other personal details. The largest cache of personally identifiable information included approximately 300,000 Social Security Numbers belonging to workers’ compensation benefits applicants. A detailed analysis of the data was provided to SCMLC in the Identity Finder DLP Report and a summary of statistics is below:3,875 uncompressed files contained personally identifiable information