Apr 5, 2007
TUSCALOOSA | The social security numbers and other personal identification data of 6,000 DCH Health System employees are missing raising concerns about the possibility of identity theft.
An encrypted disc and hardcopy documents containing the personal identification information were lost by a consultant company -- Mercer Human Resources Consulting -- that reviews the DCH pension plan to determine the annual employer contribution requirements.
Neither Mercer nor DCH were aware of any of the information being accessed or illegally misused.
Mercer notified DCH on March 22 that a package of documents containing retirement benefit information had disappeared. The pension documents had been mailed from Mercer offices in Birmingham March 2, but disappeared after reaching its intended destination in Louisiana.
It was about a week before Mercer knew the package was missing, said Charles Salmans, a Mercer spokesman.
While tracking data indicates the package was delivered to the addressee’s building, the intended recipient never received the package.
“It was sent without requiring the addressee to sign for it, which should not have happened,” Salmans said, noting the matter is still under investigation.
DCH employees were notified of the security breach Thursday. The situation puts anyone on the payroll at DCH Regional Medical Center, Northport Medical Center or Fayette Medical Center in 2006 at risk for identity theft. Additionally retirees, former vested participants, surviving spouses of retirees or vested participants are at risk. A letter was mailed to all those affected.
Mercer, an entity of the Marsh & McLennan Companies Inc., has taken full responsibility for the incident and is covering the costs monitoring the affected individuals for identity theft for a year. The identity protection program is being provided by another Marsh & McLennan entity, Kroll. All those affected have been told how to request a free copy of their credit reports.
DCH waited until the deal for the identity protection program was in place before announcing the security breech.
“We felt it was best if we could tell our employees of the issue and solution at the same time,” said Brad Fisher, DCH spokesman. “It took time for [Kroll] to log our names into the system and for us to prepare the mailing to go to the employees. All that logistical stuff took time, that’s what we did until today.”
Salmans said a police report has been filed but he didn’t know with what authority. He did say that an outside carrier and not the U.S. Postal Service sent the package, so federal authorities are not involved. Salmans said he wasn’t prepared to identify the company used to mail the package.
Pickens County Medical Center, while administered by DCH Health System, has a separate pension plan and no employees there were affected.
“DCH has been a strong advocate for our employees and retirees since it became aware of the situation,” said Bryan Kindred, president and CEO of DCH, in a written statement.
Kindred said DCH would reassess how its vendors safeguard employee and other personal data.
“Mercer regrets that this incident has occurred and any inconvenience it has caused DCH Health System employees,” Salmans said.
Reach Sarah Bruyn Jones at firstname.lastname@example.org or 205-722-0209.