Ken Paxton

Wednesday, July 16, 2008

Attorney General Abbott Reaches Agreements That Will Help Protect Texans From Identity Theft

AUSTIN Texas Attorney General Greg Abbott reached settlement agreements with Select Medical Corp. and RadioShack that will help protect Texans from identity theft. The settlements resolve two state enforcement actions, which charged both defendants with violating state laws governing the disposal of customer records that contain sensitive personal information.

Under the agreements, the state will receive nearly $1.5 million that will ultimately fund future identity theft investigations and prosecutions. Equally important, both defendants will strengthen their existing information security policies by implementing new employee training programs that highlight identity theft prevention and educate staff about proper document destruction protocols. Under Texas law, vendors must take specific precautions before discarding documents that include customers’ bank accounts, driver’s license and Social Security numbers.

Recognizing that identity theft is one of the nation’s fastest growing criminal enterprises, the Texas Legislature passed laws to protect Texans from this crime, Attorney General Abbott said. Under today’s agreements, both defendants will implement new procedures that will better safeguard their customers’ personal information. Equally important, nearly $1.5 million in proceeds from these settlements will be used to fund future identity theft investigations and prosecutions.

The state’s agreement with Select Physical Therapy Texas L.P. requires the health care provider to amend its existing information security procedures to ensure future compliance with identity theft prevention laws. Select Medical must implement a new training program that educates their Texas employees about newly established privacy procedures and reviews state laws governing the disposal of customer records.

Under the agreement, all Select Medical Texas employees must take the training annually for the next five years. The mandatory course will explain identity theft, its costs to individual customers and the importance of complying with the company’s newly implemented document disposal protocol. To further ensure that employees comply with the new protocol, each of Select Medical’s Texas locations must post signs detailing records storage and disposal requirements. They also must maintain certification records that show each employee’s compliance with the training requirements.

Select Medical agreed to pay the state of Texas $990,000, which includes $100,000 in attorneys’ fees. Under the Identity Theft Enforcement and Protection Act, the remaining sum will be appropriated for the investigation and prosecution of future identity theft cases.

The state opened its investigation into Select Medical after the Levelland Police Department reported that more than 4,000 documents containing customers’ sensitive information were found in garbage containers behind a Select Physical Therapy Texas Limited Partnership location in that city. The records discovered by authorities contained patients’ bank account numbers, sensitive medical evaluations, drug and alcohol testing verification results, plan of care forms, insurance verification sheets, and social and vocational therapy questionnaires.

An agreement with Fort Worth-based RadioShack similarly requires the electronics retailer to enhance its existing information security procedures and implement a new employee training program. RadioShack’s training curriculum will largely mirror the requirements outlined in the state’s agreement with Select Medical. Additionally, RadioShack agreed to conduct unannounced compliance audits at all of its Texas stores at least twice a year. RadioShack agreed to pay the state $630,000, which includes $50,000 in attorneys’ fees. Under the Identity Theft Enforcement and Protection Act, the remaining sum will be appropriated for the investigation and prosecution of future identity theft cases.

The state’s enforcement action against RadioShack began when state investigators learned that the retailer’s Portland location exposed thousands of customers’ personal identifying information by dumping sensitive records into a publicly accessible trash can. Documents recovered from the trash included a customer’s 1998 credit application and a receipt for a shredder one customer purchased to prevent identity theft. The records contained customers’ Social Security numbers, credit and debit card information, names, addresses and telephone numbers.

Although neither investigation revealed confirmed incidents of personal information being obtained or misused by identity thieves, customers whose records may have been contained at the affected locations should carefully monitor bank, credit card and similar financial statements for evidence of suspicious activity. Texans should also annually obtain free copies of their credit reports from to guard against this growing crime.

Consumers who wish to file a complaint may contact the Office of the Attorney General at (800) 252-8011 or do so online at, where they can also obtain information on identity theft detection and prevention.