About 8,000 blood donors in the Missouri-Illinois Blood Services Region of the American Red Cross were notified last week that personal information about them was allegedly stolen by a former employee in March and might have been used in identity thefts.
At least four of the donors were victims of the data-theft scheme, said Jim Williams, a spokesman for the regional agency. An investigation is continuing to determine if any other donors have been affected.
The thefts occurred when a telephone blood-drive recruiter entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims.
The former employee, 20-year-old Lonnetta Shanell Medcalf of St. Louis, then allegedly opened credit card accounts at several stores using the stolen information and made purchases valued at more than US$1,000, according to a statement by the U.S. Attorney's office in the eastern district of Missouri.
Medcalf began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered, Williams said. Medcalf had 8,000 donor contacts in her database out of more than 1 million donors in the region who were not affected by the data thefts. Her case is scheduled for trial on June 19.
The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters.
Medcalf has been indicted on three felony counts of aggravated identity theft and one count of credit card fraud in connection with the incidents, according to the U.S. Attorney's office.
The Red Cross sent written notifications of the data breach to all 8,000 potential victims on May 17, advising them to contact credit bureaus to check their credit reports for any irregular purchases or activities. The agency is reimbursing any of the affected 8,000 donors if the credit reports can't be obtained for free. The agency also set up a toll-free hotline to aid any identity-theft victims of the incident and said it's taking additional security steps to ensure that such an incident doesn't happen again. All staff members are being reminded, for instance, that donors don't have to put their Social Security numbers into their Red Cross donor records.
The Red Cross also apologized for the incident and said it is working to improve security for such information.
If convicted, Medcalf faces a maximum penalty of 10 years in prison and/or a fine of US$250,000 for the charge of credit card fraud. Each count of aggravated identity theft also carries a mandatory two years in prison consecutive to the credit card fraud sentence.
"We feel like victims here as well, but the ultimate victims are our donors," said Williams.