HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

University of Minnesota Professors Defrauded after Mystery Data Breach

In order for an individual to commit tax fraud – file false tax returns in the name of another individual – the criminal must have access to certain information about the victim. The information is generally not readily available, so it must be obtained from someone who has that data.

Healthcare providers and insurance companies are often targeted specifically for the data they hold. With just a few data fields criminals can steal identities and files fake tax returns – as well as commit may other types of fraud.

Hackers attempt to break through defenses, thieves target medical devices containing Protected Health Information (PHI) and insiders are used to abuse their access rights and steal data,

When tax fraud is discovered, especially tax fraud involving a specific group of individuals, the source of the data breach is often relatively easy to identify. All victims worked at a specific hospital, were enrolled in the same health plan or had used the same pharmacy chain, for example.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

However, a number of fraudulent tax returns have recently been made in the names of University of Minnesota staff, and the cause of the breach is proving to be something of a mystery. In this case, tax fraud has been discovered by two University of Minnesota professors of the Sociology and Psychology faculties. They found they were unable to file tax returns as another person had already done it for them. Other work colleagues were also victims of tax fraud.

Clearly not a coincidence, the matter was reported to the University in April of this year, and an investigation was initiated; however there was no evidence of any data breach discovered two months on. The computer network was analyzed and there was simply no evidence to suggest that the data breach had occurred at the university.

According to an MPR news report, when asked if any investigations were being conducted internally to determine whether a member of faculty staff had leaked data, Steve Henneberry, a spokesperson for the University said “there is no information to support that.”

According to the report, various theories have been put forward as to the source of the data. Human Resources chief, Kathryn Brown, suggested the crimes were the result of “random criminal activity”. The current assumption is that the data breach occurred at an external agency, be that a healthcare provider or insurance company or other holder of sensitive data. The likely alternative is an insider at the University, but with no evidence of any improper access discovered, there is little more the University can do apart from remain vigilant.

Unfortunately for the breach victims, since the cause of the breach has not been discovered, there is no one to offer fraud mitigation and identity repair services. The cost must be covered by the fraud victims themselves.

The University of Minnesota has taken appropriate action and investigated, but with no breach discovered there is little that can be done. It is up to the victims to identify the common denominator and attempt to discover the cause of the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.