Red Cross warns blood donors of possible ID thefts in Midwest

Computerworld - About 1 million blood donors in the Missouri-Illinois Blood Services Region of the American Red Cross were warned last week that personal information about them could have been stolen earlier this year by a former employee and might have been used in identity thefts.

The former worker had access to 8,000 blood donors in a database she used in her job, all of whom were notified by mail of possible identity theft problems on March 17, according to the agency. But after the original warning letters went out, the Red Cross decided to expand the identity theft warnings to all 1 million donors in the Missouri-Illinois region because of concerns that she may have accidentally accessed other records in the larger group.

The warnings to the 1 million donors are being made through the media and the agency's Web site, not through individual letters.

At least four of the donors among the original 8,000 in the donor database were victims of the data-theft scheme, said Jim Williams, a spokesman for the regional agency. An investigation is continuing to determine if any other donors have been affected.

The thefts occurred when the former employee, a telephone blood-drive recruiter, entered random numbers of past donors into her 8,000-donor database, then was able to access the names, Social Security numbers, phone numbers and birth dates of potential victims. The database uses unique donor numbers to store records for each person, and by entering random numbers, the recruiter was able to access the records of the four victims.

The former employee, 20-year-old Lonnetta Shanell Medcalf of St. Louis, then allegedly opened credit card accounts at several stores using the stolen information and made purchases valued at more than $1,000, according to a statement by the U.S. attorney's office in the eastern district of Missouri.

Medcalf began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered, Williams said. Medcalf had 8,000 donor contacts in her database out of more than 1 million donors in the region who were not affected by the data thefts. Her case is scheduled for trial on June 19.

The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters.

Medcalf has been indicted on three felony counts of aggravated identity theft and one count of credit card fraud in connection with the incidents, according to the U.S. attorney's office.