An Overland Park man found an ominous voicemail waiting for him when he got home one Friday night in September.
His mortgage loan documents had been stolen from a loan official’s car while it was parked at a gym almost 12 hours earlier.
His Social Security and driver’s license numbers, two years of tax returns and other sensitive documents had been stolen.
“I thought, ‘Wow, what do I do now?’ ” said the man, who asked that his name not be published for security reasons. “Somebody has potentially every ounce of information that you always wanted to protect.”
In our fast-paced world, more and more American workers are taking work home. Sensitive documents both electronic and paper are being transported from offices to homes, sometimes with stops in parking lots of restaurants, bars, grocery stores and gyms.
And along the way, thefts of personal information are occurring.
Businesses are scrambling to cope, and state legislatures are looking for ways to protect the public.
Privacy Watch Clearinghouse has been tracking data breaches since 2005. Since that year, the nonprofit has tracked at least 600 million records that have been breached by hacking, by theft or in other ways.
But that number is probably low, said director Beth Givens, because the only breaches the organization learns about are ones that garner attention by the media. And many states do not require companies to report data breaches to a central clearinghouse.
Some cases noted by the clearinghouse:
Earlier this year, about 7,100 seniors who were in the Meals and Wheels programs in Wichita became victims of a data breach when a thief broke into a vehicle owned by an employee for the state Department of Aging in Wichita. Paper files, a laptop and a flash drive containing 100 of the seniors’ Social Security numbers were taken.
A briefcase full of sensitive personnel records was stolen from the vehicle of a Larch Corrections Center manager. A Larch human resources manager allegedly took the records home over last weekend to review them, then left his briefcase on the seat of his car while he worked out at the 24-Hour Fitness Center. Someone smashed a window in the car while the employee was in the gym. More than 40 files were missing. The files contained forms known as I-9s, which provide documentation that employees are legally able to work in the United States. They included driver’s license and Social Security information.
A physician who worked for two Boston hospitals put an external hard drive in luggage that was left in a taxi and lost last year. The hard drive was believed to contain information about patients’ hospital stays over 18 months and may have included names and medical records.
A laptop with patient information was stolen from the Houston home of an M.D. Anderson Cancer Center faculty member in April. The laptop was not encrypted and contained about 30,000 patient names, medical record numbers, treatment and research information, and some Social Security numbers.
Givens said while no one can be completely protected from identity theft, taking action immediately after personal information is stolen is important.
Individuals who are notified that their personal data have been stolen are four times more likely to be the victim of identity theft within one year, even with the warning the notification provided, according to a 2009 report by Javelin Research & Strategy.
Many states are stepping up to protect the public from data breaches, requiring company computers that are used out of the office to be encrypted in certain situations and that theft victims be notified. But a shortcoming of those laws is that they address only electronic files and not paper-based files, Givens said.
Both Missouri and Kansas have been addressing the issue and both have laws that require that consumers be notified of data breaches in most cases. But the law is silent when it comes to paper records.
In the Overland Park case, the Pulaski Bank loan officer had gone to the gym before work, according to police.
The victim said bank officials didn’t leave him a phone message until about 3:30 p.m. When he got home after 6 p.m. he tried to call the bank, but there was no answer.
“I was very frustrated,” he said.
Finally he contacted his Realtor who located an official with Pulaski Bank who could tell him only that some records were missing.
“Nobody could tell me for sure if my entire file was gone or not,” he said.
There was no explanation of why it took so long for him to be contacted, he said.
But he did learn from a bank official and police that several other loan applications had been in the car along with a laptop.
The victim said the bank is providing him identity theft protection for two years, as well as some financial considerations on his mortgage. Kevin King, general counsel for Pulaski Bank, said bank officials would have no comment because Overland Park police are still investigating.
“Pulaski Bank has followed all applicable internal policies in adherence to regulatory guidelines,” King said in a statement.
Officer Gary Mason with the Overland Park Police Department said usually the thieves are not out to steal identities.
“A lot of times these suspects will take whatever they can get their hands on,” Mason said. “They aren’t necessarily targeting any files.”
The victim said there’s no indication that his identity has been stolen, but he’s still worried.
The public needs to be aware of the potential for data breaches, said Cortney Lanik, a spokeswoman with LifeLock, a company that protects customers from identity theft.
Social Security numbers are the most valuable of all personal information because they never expire, Lanik said.
Experts say anyone who learns personal data have been stolen needs to place a freeze on their credit reports and ask that a fraud alert statement be placed on your account notifying creditors that you may be a victim of fraud. You also should continue to monitor your credit reports for security breaches. Criminals may open new accounts using your name and Social Security numbers.