Data on 6,000 DCH employees is missing

Sarah Bruyn Jones
4/6/2007 – A disk and documents containing the Social Security numbers and personal information of 6,000 DCH Health System employees are missing, raising concerns about identity theft.

An encrypted disk and hard-copy documents containing employees’ personal identification information were lost in early March by Mercer Human Resources Consulting, the company that reviews DCH’s pension plan to determine annual employer contribution requirements.

DCH employees were notified of the security breach Thursday. The situation could affect anyone on the payroll in 2006 at DCH Regional Medical Center, Northport Medical Center or Fayette Medical Center.

Additionally, any retirees, former vested participants in the pension plan and surviving spouses of retirees or vested participants could be at risk of for identity theft.

A letter was mailed to all parties who could be affected.

Neither Mercer nor DCH knew of any personal information that had been accessed or illegally misused.

The pension documents had been mailed from Mercer’s Birmingham offices on March 2, but disappeared after they reached their destination in Louisiana. They had been sent to a Mercer employee.

However, Mercer did not notify DCH until March 22 that a package of documents containing retirement benefit information had disappeared. It was about a week before Mercer realized the package was missing, said Mercer spokesman Charles Salmans.

The package’s tracking data indicated that it had been delivered to the addressee’s building, but the intended recipient never received it.

“It was sent without requiring the addressee to sign for it, which should not have happened,” Salmans said, adding that an investigation was still under way.

Mercer, an entity of the Marsh & McLennan Cos. Inc., is covering the cost of monitoring the affected parties for possible identity theft for a year. The identity protection program is being provided by Kroll Inc. another Marsh & McLennan company.

Additionally all affected parties have been told how to request a free copy of their credit reports.

“Mercer regrets that this incident has occurred and any inconvenience it has caused DCH Health System employees,” Salmans said.

DCH waited until the agreement for the identity protection program was in place before announcing the security breach.

“We felt it was best if we could tell our employees of the issue and solution at the same time,” said Brad Fisher, DCH spokesman. “It took time for [Kroll] to log our names into the system and for us to prepare the mailing to go to the employees. All that logistical stuff took time, that’s what we did until today.”

Salmans said a police report has been filed but he didn’t know with which law enforcement office. He said that since the package was sent via a private carrier, not the U.S. Postal Service, federal authorities are not involved. Salmans declined to identify the company that was used to ship the package.

Employees at Pickens County Medical Center are not affected by the loss. PCMC’s pension plan is administered by DCH Health System, but it is a separate pension plan.

“DCH has been a strong advocate for our employees and retirees since it became aware of the situation,” said Bryan Kindred, president and CEO of DCH, in a written statement.

Kindred said DCH would reassess how its vendors safeguard employee and other personal data.

Reach Sarah Bruyn Jones at sarah.jones@tuscaloosanews. com or 205-722-0209.

florida shredding