11 charged in Blue Cross ID theft, fraud

Holly Fournier and Mark Hicks
The Detroit News

Eleven people have been charged with identity theft and credit card fraud after a Blue Cross Blue Shield of Michigan employee allegedly printed and shared screen shots of more than 5,000 subscriber profiles.

Three are accused of using the stolen information to purchase more than $742,000 worth of merchandise at Sam's Club.

According to an indictment announced Tuesday by the U.S. Attorney for the Eastern District, former Blue Cross Blue Shield employee Angela Patton gave the printed profiles to others, who used the information to apply for credit in other people's names. Individuals arrested in Texas, Ohio and Michigan possessed the screen shots, as well as counterfeit identification cards and credit cards in the names of Blue Cross subscribers, according to a new release.

Those indicted include Patton, 47, of Belleville; Sam Patton, 47, of Dearborn; Dontez Patton, 23, of Woodhaven; Johnathon Weston, 24, of Detroit; Charlie Smith, 47, of Detroit; Thomas Turner Sr., 47, of Detroit; Aramona Coleman, 56, of Southfield; Tynekwa Hill, 26, of Pontiac; Jeffrey Morton, 41, of Oak Park; Verdell Kennedy, 45, of Detroit; and Raymond Thomas, 40, of Oak Park.

Agents who served search warrants at homes in Metro Detroit recovered additional screen shots containing personal information as well as counterfeit and re-encoded credit cards and gift cards. The information included individuals' names, dates of birth and Social Security numbers.

"Criminals should know that while technology has made it easier than ever for them to commit identify fraud, technology is also making it easier for law enforcement to catch them," said U.S. Attorney Barbara McQuade. "We are making enforcement of identity theft a high priority because this crime has become so pervasive and can be so damaging to victims."

The breach illustrates consumers' vulnerability when their personal data is collected and stored, say cybersecurity experts.

"There's more data being collected than ever before across the economy," said John Breyault, vice president of public policy telecommunications and fraud at the National Consumers League, a private, nonprofit advocacy group. "The tools to commit identify theft and the infrastructure are more organized and readily available."

The suspects allegedly possessed personal information for 5,514 Blue Cross and Blue Care Network members, according to the insurance companies. Corporate investigators also investigated the breach.

"I am personally saddened by this former employee's involvement," said Daniel J. Loepp, president and CEO of Blue Cross Blue Shield of Michigan. "(Her) alleged behavior in no way represents the ethical standards brought to work every day by our more than 7,000 employees, who are committed to serving our members with integrity and honesty."

Affected policy holders will be notified by letter and offered two years of free credit protection services, according to the insurance company's press release. Members are asked to carefully monitor their Explanation of Benefits statements and financial accounts. If they notice inappropriate activity, members can contact the Anti-Fraud Hotline at 1-800-482-3787 Monday through Friday from 8:30 a.m.-4:30 p.m.

Blue Cross Blue Shield and Blue Care Network have taken steps to protect policy holders' accounts from a similar breach, according to the company.

"We have taken a number of deliberate steps to further secure our members' information from disclosure, including limiting access to members' Social Security numbers, requiring all employees to change their passwords, and installing new printing devices that require employees to scan their coded badges to print," said Kevin Klobucar, CEO for Blue Care Network.

The incident signals to companies that they "need to do a better job of maintaining their information security — seeing where there are opportunities for identity theft to happen," said Breyault.

The investigation follows a probe by Indianapolis-based Anthem Inc., that in February announced it was offering identity theft protection to current and former customers dating back more than a decade after hackers broke into a database storing information for 80 million people.

The Blue Cross affiliated insurer said hackers got past several layers of security to reach the database after Dec. 10 and before Jan. 27. Intruders gained access to names, birth dates, email addresses, employment details, Social Security numbers, incomes and street addresses. Investigators determined no medical and credit card information was breached.

The information insurers and medical care providers have access to can be exploited " ... to engage in identity crimes — (like) creating new debit or credit cards," said Thomas Holt, an associate professor in the School of Criminal Justice at Michigan State University. "We need to study the health care arena more to understand where their vulnerabilities are to shore them up from a corporate security perspective."

Associated Press contributed.