THE GAZETTE
Wednesday, February 26, 2014 s
Page A-5
AROUND THE COUNTY Databreachesmaybecomemorecommon Three from Takoma Park are n
Systems like University of Maryland’s ‘are constantly targeted’ RYAN MARSHALL AND LINDSAY A. POWERS
BY
STAFF WRITERS
As authorities at the University of Maryland continue to investigate a data breach that compromised the personal information of more than 300,000 records of students, faculty and alumni, state officials are concerned that such incidents won’t stop anytime soon. The incident, which university President Wallace D. Loh described in a Feb. 19 letter to students, parents and others as a “sophisticated computer security attack,”compromisedadatabase kept by the school’s information technology department that contained 309,079 records containing the names, Social Security numbers, dates of birth and university identification numbers of students, faculty and alumni who had been issued university identification cards since 1998. The breach came on the same day Gov. Martin J. O’Malley (D), U.S. Sen. Barbara Mikulski (D) and Montgomery County Executive Isiah Leggett (D) signed an agreement that will help solidify the county’s plans to build the National Cybersecurity Center of Excellence in Rockville. State and federal law enforcement agencies are investigating the cause of the breach, Loh’s letter said. Max Milien, a spokesman for the U.S. Secret Service, said the agency is involved in the investigation. The school had no new information to report Thursday, said spokeswoman Pam Lloyd. Joe Bucci, director of marketing and communications for The Universities at Shady Grove, said Thursday that the campus has
1841786
about 1,440 University of Maryland, College Park, undergraduate and graduate students as well as about 150 to 200 College Park faculty and staff who were affected by the breach. Other affected people include undergraduate students enrolled in programs at Shady Grove from Towson University; the University of Baltimore; the University of Maryland, Baltimore; the University of Maryland, Baltimore County; and the University of Maryland, Eastern Shore. Shady Grove officials think that about 2,600 undergraduate students — both currently enrolled and former students — who participated in the five university programs at the campus were affected, Bucci said. Bucci said these students were affected because the campus issued them Shady Grove IDs, which were in the same database that held the College Park IDs. The Shady Grove campus does not issue IDs to graduate students. “We’re still trying to get a handle on exactly how many [affected people] there are,” he said. “It goes back to the inception of [The Universities at Shady Grove in 2000].” It’s hard to judge how sophisticated the University of Maryland attack was because of how little information is publicly known, said Chris Ensey, COO of Dunbar Digital Armor, a Hunt Valley cybersecurity firm. But he said collections of student data are rich with personal information that make them regular targets for hackers. Many students have shorter credit histories that make it easier to use the information to open new lines of credit, Ensey said. “University systems are constantly targeted,” he said. Donna Schena, interim vice president of instructional and information technology and chief information officer for Mont-
gomery College, said the college usesa“multi-prongedapproach” to prevent security hacks into personal information. “The threat is constant and the diligence, therefore, has to be constant,” she said. Strategiesincludetechnology that watches for and intervenes with threats, physical security for buildings and machines, and managing access to the college’s computer technology and resources, she said. Schena said the college also works hard to educate its studentsandstaffaboutinformation security. Patrick Feehan, director of IT privacy and cybersecurity compliance at Montgomery College, described the college as working in “a constant circle of change” when it comes to preparing against virtual security threats. “We’re in a quickly evolving landscape as the world gets more wired,”hesaid.“We’reconstantly having to update how we view threats and how we view vulnerabilities.” The Washington Post reported the breach took place at 4 a.m. on Feb. 18. Hours later, the officials inked the plans for the cybersecurity center. County officials have said they believe the facility will make the county a national center for the cybersecurity industry. These types of breaches are why the state, as an institution, is focused on cybersecurity, said Sen. James C. Rosapepe. “It’s not a problem that will go away,” said Rosapepe (D-Dist. 21) of College Park. He said the latest breach is a dramatic example of the opportunity Maryland has to develop its cybersecurity sector. A September 2012 audit by the state’s Office of Legislative Audits revealed that the Department of Information Technology hadn’t created a way to monitor andenforceitsInformationSecurity Policy even though Maryland
law made it responsible for enforcing the policies, procedures and standards for state agencies. The department’s policy shifted responsibility to each state agency to make sure it was complying with the information technology department’s policy. The report revealed that state agencies weren’t required to share the same amount of information about data breaches as private entities, said Tim Brooks, director of performance audits for the Office of Legislative Audits. Since the audit was done, the General Assembly has passed a law that state agencies would be bound by similar requirements as private companies for the security and encryption of information and to notify the Attorney General’s office, Department of Information Technology and any people affected by a breach, he said. Since the report, information security assessments are included as part of each state agency’s fiscal compliance audit that is done every three years, he said. Agencies and private companies both have to always be vigilant to look for signs that data has been compromised, Brooks said. “It’s a constant battle. It requires constant surveillance,” he said. Hackers’ level of sophistication is increasing every day, and the problems they cause won’t go away anytime soon, Ensey said. As technology becomes more pervasive, the number of wireless-enabled devices people carry will create more conduits for hackers to gain access to information. “The complexity of IT security has exponentially increased,” Ensey said. Staff Writer Kate S. Alexander contributed to this report. rmarshall@gazette.net
charged with Medicaid fraud Part of large health care enforcement action in D.C.
n
BY
SARAH SCULLY STAFF WRITER
More than 20 people were arrested Thursday as part of the largest ever health care fraud crackdown in Washington, D.C., according to a press release from the office of the U.S. Attorney for the District of Columbia. The cases result from years of investigation by more than 200 law enforcement officials and include numerous separate schemes, authorities said. Three Takoma Park residents were charged with Medicaid fraud in the case, according to the press release. They included Felix Aburi Fon, 41, and his wife, Mirabel Tenjoh Mukum, 32, who were charged with conspiracy to commit health care fraud and health care fraud, among other counts. They allegedly filed more than $124,000 in fraudulent claims, authorities said. Fon and Mukum were personal care aides for Immaculate Health Care Services, a D.C.based agency providing home health care. Mukum also was employed by Nursing Unlimited Services, Inc. They allegedly offered kickbacks to two Medicaid beneficiaries to sign up for home services and assisted in submitting false time sheets for work they did not do between April 2012 and September 2013. A third aide also may have been involved in the scheme, but authorities provided no information about that person. The couple was granted bail during a hearing before the U.S. District Court last week and released, according to Greg Smith, Fon’s lawyer in the case. Mukum’s lawyer, Cynthia Katkish, said Monday that she
could not comment on the case. The U.S. Attorney’s office for D.C. also announced Thursday a separate set of health care fraud cases filed in the Superior Court of D.C. One involved Paul Tengwei, 31, of Takoma Park, who faces first-degee fraud charges. He had not yet been arrested as of Tuesday. According to charging documents, Tengwei conspired with Brandon Chenwi Shu Fobeteh of Greenbelt, Cedonne Ngwilefem Alemnji of Greenbelt and Michael Nyantakyi of Lanham in offering Medicaid beneficiaries cash in exchange for their participation in filing false claims for more than $26,000 in services. All are charged with first degree fraud. Alemnji was assigned a public defender, who, as of Tuesday, could not be reached for comment. Fobeteh and Nyantakyi had not yet been assigned lawyers, and there was no lawyer listed for Tengwei as of Tuesday. The defendants would take beneficiaries to a doctor and tell them what to say to make them eligible for the services Tengwei and the others provided, which would be covered by Medicaid, according to court documents. Tengwei and others then allegedly paid personal care assistants kickbacks for false time sheets and paid the beneficiaries to sign them. But the claimed services were never provided, according to the court documents. FBI Washington Field Office spokeswoman Lindsay Godwin said the bureau was getting many tips about fraud, and “the overall increase in the number of Medicaid recipients in the District of Columbia had grown substantially in a short amount of time,” raising suspicion. sscully@gazette.net