Texas AG Settles with Select Medical, RadioShack on ID Theft Charges

July 17, 2008

Texas Attorney General Greg Abbott reached settlement agreements with Select Medical Corp. and RadioShack on charges the companies failed to protect their customers from identity theft.

The settlements resolve two state enforcement actions, which charged both defendants with violating state laws governing the disposal of customer records that contain sensitive personal information, the Office of the Attorney General announced.

Under the agreements, the state will receive nearly $1.5 million that will ultimately fund future identity theft investigations and prosecutions.

Also, both defendants will strengthen their existing information security policies by implementing new employee training programs that highlight identity theft prevention and educate staff about proper document destruction protocols.

Under Texas law, vendors must take specific precautions before discarding documents that include customers’ bank accounts, driver’s license and Social Security numbers.

The state’s agreement with Select Physical Therapy Texas L.P. requires the health care provider to amend its existing information security procedures to ensure future compliance with identity theft prevention laws. Select Medical must implement a new training program that educates their Texas employees about newly established privacy procedures and reviews state laws governing the disposal of customer records.

The state opened its investigation into Select Medical after the Levelland Police Department reported that more than 4,000 documents containing customers’ sensitive information were found in garbage containers behind a Select Physical Therapy Texas Limited Partnership location in that city. The records discovered by authorities contained patients’ bank account numbers, sensitive medical evaluations, drug and alcohol testing verification results, plan of care forms, insurance verification sheets, and social and vocational therapy questionnaires.

An agreement with Fort Worth-based RadioShack similarly requires the electronics retailer to enhance its existing information security procedures and implement a new employee training program. Additionally, RadioShack agreed to conduct unannounced compliance audits at all of its Texas stores at least twice a year.

RadioShack agreed to pay the state $630,000, which includes $50,000 in attorneys’ fees. Under the Identity Theft Enforcement and Protection Act, the remaining sum will be appropriated for the investigation and prosecution of future identity theft cases.

The state’s enforcement action against RadioShack began when state investigators learned that the retailer’s Portland location exposed thousands of customers’ personal identifying information by dumping sensitive records into a publicly accessible trash can. Documents recovered from the trash included a customer’s 1998 credit application and a receipt for a shredder one customer purchased to prevent identity theft. The records contained customers’ Social Security numbers, credit and debit card information, names, addresses and telephone numbers.

Source: Texas Attorney General’s Office