Have you received a scam SMS message enquiring about an item you are selling on Gumtree, Ebay or other for sale sites? The txt will usually be generic.
Txt example: "Good Morning. Messaging about your Ad on Gumtree. I will like to know the condition and firm price. Kindly email me on jamestaylor062@gmail.com" (one of the many scammer email addresses used).
There are literally hundreds of email addresses used by these scammers. If you receive a scammer txt or email help others avoid being scammed by posting the email address and message on our topic at Scam Warners Forum.
The Scam
Sellers will receive an SMS requiring future contact by email (usually a gmail address). The buyer negotiates a deal, usually agreeing to pay the sellers advertised price, organises an overpayment payment through PayPal to cover shipping costs and lets the seller know a shipping company will be in contact.
The seller receives an email from the shipping company including instructions etc. The buyer confirms payment has been made to PayPal and that all that remains is for the seller to pay the shipping company through Western Union (untraceable transaction).
Of course no money has ever been paid to PayPal despite receiving a notification by PayPal Email. The scammer gets the shipping costs and the seller remains stuck with the goods.
It is relatively easy to identify the scam. Sellers will usually receive an SMS that cannot be replied to and with no specific information about the item the scammer wants to purchase (similar to the example above).
If you receive an SMS or Email that you feel may be a scammer do a quick search for their email address. It is very likely that a complaint has already been made.
For more info on these scammers including examples of txts and emails, The preferred shipping company of Scammers "Auto Shippers International" and other information head over to our Topic on Scam Warners Scammer Emails Ebay Gumtree Craigslist Autotrader.
The ripoffs that rarely make the headlines. Data theft, theft of IP, no intention to provide a service or product , employee fraud, passing off, false allegations are just some of the topics we cover here.
Wednesday, 18 September 2013
Sunday, 8 September 2013
Suspect Identity Thief Roselyn Singh Continues To Mislead Local Business Owners
Unfortunately two more local businesses have recently been duped by Ms Singh both of which are heading to the civil courts in an attempt to retrieve their loss and damages.
Sadly these affected organizations stumbled across the original article, about Singh and her deeds after they had been taken to the cleaners.
Due to proceedings before the courts we cannot name the businesses at this time.
The Data Theft Blog was launched in September 2012 to highlight deficiencies in legislation dealing with insider data theft and to expose incidences of this insidious type of fraud.
Recent amendments to the Privacy Act have put Business owners on notice that they are responsible for data breaches affecting consumers and at the discretion of the Privacy Commissioner may be heavily fined.
However an insider (employee) data thief, the most likely perpetrator or cause of a breach, is immune from prosecution and can only be dealt with in the civil courts if the affected business owner has the resources and money to pursue them.
Singh registers "Data Theft" and various combinations of our blogs name.
True to form Singh has recently registered (July 2013) variations of the "Data Theft brand", through her company UTSG. In a previous article about Sydney Medical Centre owner Roselyn Singh we dealt with her interesting methods of doing business.
One of Singh and her company UTSG Consortium Pty Ltd's many deceptive practices is registering variations of competitor brands as business names and then passing off on her website with these brands in an attempt to confuse consumers.
We have more to report on this and other deceptive & misleading practices by Ms Singh and will do so shortly. It will be interesting to see how Singh intends to use the Data Theft brand.
Original Article
Do you know more?
If you have information about Singh's interesting conduct, Contact us
Sadly these affected organizations stumbled across the original article, about Singh and her deeds after they had been taken to the cleaners.
Due to proceedings before the courts we cannot name the businesses at this time.
The Data Theft Blog was launched in September 2012 to highlight deficiencies in legislation dealing with insider data theft and to expose incidences of this insidious type of fraud.
Recent amendments to the Privacy Act have put Business owners on notice that they are responsible for data breaches affecting consumers and at the discretion of the Privacy Commissioner may be heavily fined.
However an insider (employee) data thief, the most likely perpetrator or cause of a breach, is immune from prosecution and can only be dealt with in the civil courts if the affected business owner has the resources and money to pursue them.
Singh registers "Data Theft" and various combinations of our blogs name.
True to form Singh has recently registered (July 2013) variations of the "Data Theft brand", through her company UTSG. In a previous article about Sydney Medical Centre owner Roselyn Singh we dealt with her interesting methods of doing business.
One of Singh and her company UTSG Consortium Pty Ltd's many deceptive practices is registering variations of competitor brands as business names and then passing off on her website with these brands in an attempt to confuse consumers.
We have more to report on this and other deceptive & misleading practices by Ms Singh and will do so shortly. It will be interesting to see how Singh intends to use the Data Theft brand.
Original Article
Do you know more?
If you have information about Singh's interesting conduct, Contact us
Labels:
breach of confidence,
breach of privacy,
cyber crime,
data theft,
fraud,
identity fraud,
misleading and deceptive conduct,
roselyn singh
Friday, 2 August 2013
Has your business been a victim of Data Theft?
Small business owners are potentially facing financial ruin as a result of the ill conceived Privacy Amendment (Enhancing Privacy Protection) Bill 2012, introduced late in 2012 by Nicola Roxon, that didn't consider many of the representations made by key stakeholders directly affected by its introduction.
Personally Identifying Information (customer records)
As at March 2014 business owners may be obligated to notify affected persons of any breach of their personal information and at the discretion of the Privacy Commissioner may be liable to heavy fines.
We agree if a business deliberately sets out to breach the Privacy of its customers or does not provide adequate security over customer information they should be fined and obligated to notify their customers of the breach. However the bill has failed to address insider (ex-employee) data theft.
Employees require access and misuse of that access to steal customer data is not covered by the bill. Independent Research has indicated 70% of IP or data theft is committed by insiders. In a speech at a Canberra Press gathering Ms Roxon admitted that the greatest threat to data security within Government is corrupted public servants.
The challenge for any business is that limiting user access to sensitive data is not a viable strategy to preventing data theft. Employees, sub contractors (example health workers) across most industries need access to view and change critical data to perform their everyday job functions.
An insider cannot be charged by Police or any other authority for data theft.
Identity theft is only a fraction of the problem and cost to the community when compared to insider data theft. Data theft by insiders is affecting thousands of businesses and costing business owners, their employees, their families billions of dollars each year and this doesn't include the knock on effect to suppliers.
Readers may remember attending their local medical centre and seeing the large number of paper folders containing patient information housed in lockable cabinets. Some practices still use this method to store patient records. Lucky them. You can't conceal very many paper folders and remove them without being noticed and you would need a truck to remove thousands.
With initiatives provided by Government and a need to move into the digital age medical practices all over Australia computerised patient files and installed practice management software to manage them. Computerised records provide the morally bankrupt healthcare worker a quick and easy way to rip off their employer and it is happening at epidemic levels all over Australia.
The Health industry is not the only business category subject to this insidious type of fraud. It is happening across many business categories and will continue whilst our Politicians and bureaucrats choose to deny it is even a problem.
It would not be uncommon in some industries for even a small business to have many thousands of customer records. In the case of a small to medium size medical practice this could easily be 30,000 patient records or more. An on line sales business may easily have hundreds of thousands of customer records. What does the business owner do if they suspect an employee has stolen customer records? Do they assume the whole data base has been breached and contact every customer?
Business owners can't rely on Police, The Privacy Commissioner, ASIC, Fair Trading or any other authority to investigate insider data theft. Their response to a report will be it is a commercial matter to be dealt with in the civil courts.
If an insider embezzled in cash an amount that equalled the value of, in many cases a business's most valuable asset [customer database] they would likely be spending a number of years in gaol. Removing customer information without the authority of the customer and the business owner is theft and often, just like stealing cash, has an immediate financial impact on the business and everybody who works in the business and their families.
The only recourse for affected business owners is very expensive usually protracted litigation in the District or Supreme Courts. Very few if any small business owners can sustain the financial impact of data theft, pay the huge costs of litigation let alone having to now face a heavy fine, the resource cost of notifying affected customers and managing the fallout from that notification.
Even if the business owner does pursue the data thief in the civil courts it takes many months sometimes years to get a judgement.
The Amendment Bill is a double whammy for business owners while the insider data thief remains immune from prosecution more often using the spoils to help secure a position with a competitor or start their own business.
Even the most secure of systems are susceptible to data theft due to employee access.
Rather than join a competitor or start a business a disgruntled employee could just as easily walk out of a business with thousands of customer records and pass them to an identity thief. The first time an affected customer would know about it is when they got a knock on the door from a sheriff chasing down a debt they don't even know about.
It is the misuse of this access by insiders that is the issue and rarely ever the business owners negligence to provide suitable security over what is often their most valuable asset.
Now there are a range of security solutions which provide additional security over data bases and will have access logs, notification bells and whistles and alerts up the wazoo. However, if a disgruntled employee is set on stealing customer data they will get the data. No amount of security can prevent a determined insider data thief.
Another Labour policy, not properly researched and introduced with the promise to fix what?
Do you have a business or know a business which has experienced data theft by an ex-employee? Submit your story.
Personally Identifying Information (customer records)
As at March 2014 business owners may be obligated to notify affected persons of any breach of their personal information and at the discretion of the Privacy Commissioner may be liable to heavy fines.
We agree if a business deliberately sets out to breach the Privacy of its customers or does not provide adequate security over customer information they should be fined and obligated to notify their customers of the breach. However the bill has failed to address insider (ex-employee) data theft.
Employees require access and misuse of that access to steal customer data is not covered by the bill. Independent Research has indicated 70% of IP or data theft is committed by insiders. In a speech at a Canberra Press gathering Ms Roxon admitted that the greatest threat to data security within Government is corrupted public servants.
The challenge for any business is that limiting user access to sensitive data is not a viable strategy to preventing data theft. Employees, sub contractors (example health workers) across most industries need access to view and change critical data to perform their everyday job functions.
An insider cannot be charged by Police or any other authority for data theft.
Identity theft is only a fraction of the problem and cost to the community when compared to insider data theft. Data theft by insiders is affecting thousands of businesses and costing business owners, their employees, their families billions of dollars each year and this doesn't include the knock on effect to suppliers.
Readers may remember attending their local medical centre and seeing the large number of paper folders containing patient information housed in lockable cabinets. Some practices still use this method to store patient records. Lucky them. You can't conceal very many paper folders and remove them without being noticed and you would need a truck to remove thousands.
With initiatives provided by Government and a need to move into the digital age medical practices all over Australia computerised patient files and installed practice management software to manage them. Computerised records provide the morally bankrupt healthcare worker a quick and easy way to rip off their employer and it is happening at epidemic levels all over Australia.
The Health industry is not the only business category subject to this insidious type of fraud. It is happening across many business categories and will continue whilst our Politicians and bureaucrats choose to deny it is even a problem.
It would not be uncommon in some industries for even a small business to have many thousands of customer records. In the case of a small to medium size medical practice this could easily be 30,000 patient records or more. An on line sales business may easily have hundreds of thousands of customer records. What does the business owner do if they suspect an employee has stolen customer records? Do they assume the whole data base has been breached and contact every customer?
Business owners can't rely on Police, The Privacy Commissioner, ASIC, Fair Trading or any other authority to investigate insider data theft. Their response to a report will be it is a commercial matter to be dealt with in the civil courts.
If an insider embezzled in cash an amount that equalled the value of, in many cases a business's most valuable asset [customer database] they would likely be spending a number of years in gaol. Removing customer information without the authority of the customer and the business owner is theft and often, just like stealing cash, has an immediate financial impact on the business and everybody who works in the business and their families.
The only recourse for affected business owners is very expensive usually protracted litigation in the District or Supreme Courts. Very few if any small business owners can sustain the financial impact of data theft, pay the huge costs of litigation let alone having to now face a heavy fine, the resource cost of notifying affected customers and managing the fallout from that notification.
Even if the business owner does pursue the data thief in the civil courts it takes many months sometimes years to get a judgement.
The Amendment Bill is a double whammy for business owners while the insider data thief remains immune from prosecution more often using the spoils to help secure a position with a competitor or start their own business.
Even the most secure of systems are susceptible to data theft due to employee access.
Rather than join a competitor or start a business a disgruntled employee could just as easily walk out of a business with thousands of customer records and pass them to an identity thief. The first time an affected customer would know about it is when they got a knock on the door from a sheriff chasing down a debt they don't even know about.
It is the misuse of this access by insiders that is the issue and rarely ever the business owners negligence to provide suitable security over what is often their most valuable asset.
Now there are a range of security solutions which provide additional security over data bases and will have access logs, notification bells and whistles and alerts up the wazoo. However, if a disgruntled employee is set on stealing customer data they will get the data. No amount of security can prevent a determined insider data thief.
Another Labour policy, not properly researched and introduced with the promise to fix what?
Do you have a business or know a business which has experienced data theft by an ex-employee? Submit your story.
Labels:
breach of confidence,
data theft,
data theft by healthcare professionals,
employee theft,
identity fraud,
identity theft,
Nicola Roxon,
Privacy Amendment - Enhancing Privacy Protection Bill 2012
Location:
Sydney NSW, Australia
Sunday, 26 May 2013
Are You Protected Against Medical Identity Theft
Theft of patient files by ex-employees is out of control in Australia and will likely remain so until an amendment bill is added to current fraud and privacy legislation.
Unfortunately cases of medical data theft by ex-employees rarely make it to court as many affected practice owners don't have the financial means to pursue the thieves. The immediate impact on revenue caused by data theft leaves practice owners virtually no opportunity to take out any sort of legal action. The big medical chains injunct ex-employee data thieves, the smaller centres face an uncertain future with limited resources to fund their business expenses following data theft let alone the additional funding of any form of litigation.
Patients affected by data theft can never be sure their personal information will remain safe in the hands of ex-employee data thieves.
Data thieves may use the stolen files to help secure themselves a position with a competitor or start their own practice. They could also just as easily sell the data on the lucrative black market for patient identities or do both. Once the data is removed without the authority of the patient no-one can be sure exactly what will happen next.
The first time an affected patient will know there is anything going on with their patient file is when they are notified of a change of address by a health professional that they may have seen at a practice. Most patients will naturally assume the notice is a courtesy announcement of a move to a new location. If the patient receiving the notification hasn't provided some form of authority, for their files to be moved, then any change of address notification should be considered with suspicion.
Under a recently passed bill (Privacy Amendment - Enhancing Privacy Protection Bill 2012) any person affected by data theft has to be notified (effective March 2014) by the business holding the patient data immediately it becomes known their data has been compromised.
Unfortunately in many cases this will alarm the receiver causing them to join other notified recipients in contacting the practice concerned to find out what has happened to their information. The practice is blamed for the lack of security provided over their data and the thief gets away with total immunity from prosecution.
There is no legislation that will allow Police to charge ex-employee data thieves.
We came across the following article, published by Fox Business, which highlights just how valuable your patient file is to data thieves.
I’m a big fan of keeping my personal information personal. But when it comes to your medical information, maintaining privacy is difficult, if not impossible. That’s because your information isn’t just held by your doctor, hospital and insurer, it’s also a commodity bought and sold by marketers, data base companies and even retailers.
In fact, on the black market, your medical records are more valuable than your social security number. According to Dr. Deborah Peel of Patient Privacy Rights, it costs just 50 cents to a dollar to buy a social security number, but $14 to $24 to buy someone’s private medical details. Smart identify thieves are leaving the dumpster diving behind and focusing on medical identity theft because they prefer the deeper pockets of insurers to consumers.
Read more:
Unfortunately cases of medical data theft by ex-employees rarely make it to court as many affected practice owners don't have the financial means to pursue the thieves. The immediate impact on revenue caused by data theft leaves practice owners virtually no opportunity to take out any sort of legal action. The big medical chains injunct ex-employee data thieves, the smaller centres face an uncertain future with limited resources to fund their business expenses following data theft let alone the additional funding of any form of litigation.
Patients affected by data theft can never be sure their personal information will remain safe in the hands of ex-employee data thieves.
Data thieves may use the stolen files to help secure themselves a position with a competitor or start their own practice. They could also just as easily sell the data on the lucrative black market for patient identities or do both. Once the data is removed without the authority of the patient no-one can be sure exactly what will happen next.
The first time an affected patient will know there is anything going on with their patient file is when they are notified of a change of address by a health professional that they may have seen at a practice. Most patients will naturally assume the notice is a courtesy announcement of a move to a new location. If the patient receiving the notification hasn't provided some form of authority, for their files to be moved, then any change of address notification should be considered with suspicion.
Under a recently passed bill (Privacy Amendment - Enhancing Privacy Protection Bill 2012) any person affected by data theft has to be notified (effective March 2014) by the business holding the patient data immediately it becomes known their data has been compromised.
Unfortunately in many cases this will alarm the receiver causing them to join other notified recipients in contacting the practice concerned to find out what has happened to their information. The practice is blamed for the lack of security provided over their data and the thief gets away with total immunity from prosecution.
There is no legislation that will allow Police to charge ex-employee data thieves.
We came across the following article, published by Fox Business, which highlights just how valuable your patient file is to data thieves.
Protect Yourself Against Medical Identity Theft
From the Gerri Willis DailyI’m a big fan of keeping my personal information personal. But when it comes to your medical information, maintaining privacy is difficult, if not impossible. That’s because your information isn’t just held by your doctor, hospital and insurer, it’s also a commodity bought and sold by marketers, data base companies and even retailers.
In fact, on the black market, your medical records are more valuable than your social security number. According to Dr. Deborah Peel of Patient Privacy Rights, it costs just 50 cents to a dollar to buy a social security number, but $14 to $24 to buy someone’s private medical details. Smart identify thieves are leaving the dumpster diving behind and focusing on medical identity theft because they prefer the deeper pockets of insurers to consumers.
Read more:
Labels:
breach of confidence,
data theft,
data theft by departing employees,
data theft by healthcare professionals,
employee theft,
identity fraud,
identity theft
Location:
Sydney NSW, Australia
Saturday, 18 May 2013
Using Computer Forensics to Investigate IP Theft
By Sid Venkatesan and Elizabeth McBride at LTN
Information technology advances have many salutary effects, allowing workplace flexibility and reduced IT spending. IT advances have also established a host of new intellectual property security issues stemming from data breaches, computer hacking, and theft of proprietary data by departing employees or consultants. These issues now affect companies large and small because all aspects of a company's intellectual assets are preserved electronically, and companies are increasingly relying on employees and independent contractors to access these assets remotely, 24 by 7.
When a valuable employee departs to a competitor, or leaves to start an unspecified "new venture," or even leaves for some "time off," an employer must be vigilant regarding the possibility that electronic copies of company trade secrets — such as confidential customer data, source code, business plans, or technical documents — may follow the former employee out the door. This "departing employee" scenario is probably the most common fact pattern that leads to trade secret litigation.
Companies are increasingly using computer forensics to investigate the who, what, when, where, and why of data theft by departing employees. "Computer forensics" in this context refers to the examination of digital devices, such as smartphones and laptops, and storage media, such as hard drives and thumb drives, in a forensically sound manner that preserves the contents and operating systems of these devices while extracting information regarding file creation, deletion, modification, and copying, and internet and software application usage, amongst other things. Though the field of computer forensics is continually evolving, computer forensic experts are playing an increasingly integral role in the trade secrets and business litigation landscape; it will not be long before litigants point to a company's failure to undertake forensic investigations as a lack of reasonable diligence that can bar a trade secrets claim.
So what should a company do when it learns that a newly departed employee has taken a prominent role at a competitor, or made suspicious statements, tweets, or blog posts? Read the rest of the article to see what a typical action plan could look like at > LTN LAW TECHNOLOGY NEWS
Information technology advances have many salutary effects, allowing workplace flexibility and reduced IT spending. IT advances have also established a host of new intellectual property security issues stemming from data breaches, computer hacking, and theft of proprietary data by departing employees or consultants. These issues now affect companies large and small because all aspects of a company's intellectual assets are preserved electronically, and companies are increasingly relying on employees and independent contractors to access these assets remotely, 24 by 7.
When a valuable employee departs to a competitor, or leaves to start an unspecified "new venture," or even leaves for some "time off," an employer must be vigilant regarding the possibility that electronic copies of company trade secrets — such as confidential customer data, source code, business plans, or technical documents — may follow the former employee out the door. This "departing employee" scenario is probably the most common fact pattern that leads to trade secret litigation.
Companies are increasingly using computer forensics to investigate the who, what, when, where, and why of data theft by departing employees. "Computer forensics" in this context refers to the examination of digital devices, such as smartphones and laptops, and storage media, such as hard drives and thumb drives, in a forensically sound manner that preserves the contents and operating systems of these devices while extracting information regarding file creation, deletion, modification, and copying, and internet and software application usage, amongst other things. Though the field of computer forensics is continually evolving, computer forensic experts are playing an increasingly integral role in the trade secrets and business litigation landscape; it will not be long before litigants point to a company's failure to undertake forensic investigations as a lack of reasonable diligence that can bar a trade secrets claim.
So what should a company do when it learns that a newly departed employee has taken a prominent role at a competitor, or made suspicious statements, tweets, or blog posts? Read the rest of the article to see what a typical action plan could look like at > LTN LAW TECHNOLOGY NEWS
Labels:
breach of confidence,
data theft,
data theft by departing employees,
data theft forensics,
datatheft
Location:
Sydney NSW, Australia
Friday, 10 May 2013
Health Industry: Leaving a Practice?
By Sharon Russell, Claims Manager, MDA National.
Do you have a legal obligation not to disclose or use confidential information obtained from your former practice?
In order to consider your obligations to your former practice it will be necessary to determine if you were engaged as an employee or an independent contractor.
Whilst many arrangements purport to be principal/independent contractor relationships, the Courts will look at the facts behind any such agreement to determine the true nature of the relationship. The Courts will consider aspects such as control and expectation of work, how it is performed, hours of work, the payment method and equipment use.1
In Boyar v House of Life,2 Fair Work Australia determined that a locum alternative medicine practitioner was an employee of the Traditional Chinese Medical Practice. In reaching this decision, the Commissioner stated the "single most important factor" in determining the type of relationship was that at all times the patients remained patients of the practice.
It is therefore likely that a large number of arrangements entered into by medical practitioners would be viewed as employment relationships.
In Australia employees owe certain fiduciary duties (a fiduciary duty is an obligation to act in the best interest of another party) to their employer, including an obligation of good faith. This includes not disclosing or misusing confidential information, which was obtained during the course of employment. This applies even when there is no expressed confidentiality or restraint clause in the contract.
The information generally, however, should be truly confidential as opposed to knowledge, skill and experience that a medical practitioner has acquired. In a recent case,3 the Federal Court of Australia stated:
The entitlement of an employee to use information obtained in the course of employment after leaving that employment will depend upon the nature of the information, and the manner in which it is obtained by the employee. The general rule is that, after the employment relationship has ended, a former employee may use know-how obtained in the course of the prior employment. He may not, however, use information of a confidential nature.
The situation is different if the information in question, even though it is not strictly speaking confidential information of the employer, is deliberately taken or copied by the employee while the employment relationship persists for use after the employment relationship ceased: Faccenda Chicken Ltd v Fowler [1987] Ch 117 at 136. In that case, a former employee was prevented from using the employer's know-how or non-confidential information that might otherwise have been available for use after termination of the employment relationship, because the information and the advantage that flowed from it was obtained through dishonesty.
In the context of a medical practitioner, this could include taking patients' details with the intention of contacting them either during or after leaving the practice and encouraging them to see the practitioner at their new practice.
It is important to bear in mind that the scope of what constitutes confidential information can be broadened by the terms of an employment contract.
That said, medical practitioners must also consider their professional and ethical obligations to patients when leaving a practice. This would include ensuring appropriate arrangements have been made for a patient's ongoing care. It would therefore be reasonable to inform patients that the practitioner is leaving the practice and to assist in facilitating arrangements for ongoing care, as opposed to actively soliciting patients and encouraging them to see the practitioner at their new practice.
In contrast, independent contractors do not owe a fiduciary duty to their principals, so the obligations owed to a former principal, in the absence of a written agreement, are less onerous. However, the Courts still may provide remedies to prevent unauthorised use of information, if it is found that the information was confidential, it was disclosed in circumstances indicating an obligation of confidence and damage or loss was suffered as a result of the information being disclosed or used.
MDA National recommends that Members exercise extreme caution if you consider that there is a possibility that you might use confidential information obtained from your former practice. If an issue arises, please contact MDA National for advice.
1 Independent Contractors and Employees – Fact Sheet, Australian Government, Fair Work Ombudsman Website- www.fairwork.gov.au.
2 [2011] FWA 7953
3 Spotless Group Ltd v Blanco Catering Pty Ltd (2011) 93 IPR 235
Do you have a legal obligation not to disclose or use confidential information obtained from your former practice?
In order to consider your obligations to your former practice it will be necessary to determine if you were engaged as an employee or an independent contractor.
Whilst many arrangements purport to be principal/independent contractor relationships, the Courts will look at the facts behind any such agreement to determine the true nature of the relationship. The Courts will consider aspects such as control and expectation of work, how it is performed, hours of work, the payment method and equipment use.1
In Boyar v House of Life,2 Fair Work Australia determined that a locum alternative medicine practitioner was an employee of the Traditional Chinese Medical Practice. In reaching this decision, the Commissioner stated the "single most important factor" in determining the type of relationship was that at all times the patients remained patients of the practice.
It is therefore likely that a large number of arrangements entered into by medical practitioners would be viewed as employment relationships.
In Australia employees owe certain fiduciary duties (a fiduciary duty is an obligation to act in the best interest of another party) to their employer, including an obligation of good faith. This includes not disclosing or misusing confidential information, which was obtained during the course of employment. This applies even when there is no expressed confidentiality or restraint clause in the contract.
The information generally, however, should be truly confidential as opposed to knowledge, skill and experience that a medical practitioner has acquired. In a recent case,3 the Federal Court of Australia stated:
The entitlement of an employee to use information obtained in the course of employment after leaving that employment will depend upon the nature of the information, and the manner in which it is obtained by the employee. The general rule is that, after the employment relationship has ended, a former employee may use know-how obtained in the course of the prior employment. He may not, however, use information of a confidential nature.
The situation is different if the information in question, even though it is not strictly speaking confidential information of the employer, is deliberately taken or copied by the employee while the employment relationship persists for use after the employment relationship ceased: Faccenda Chicken Ltd v Fowler [1987] Ch 117 at 136. In that case, a former employee was prevented from using the employer's know-how or non-confidential information that might otherwise have been available for use after termination of the employment relationship, because the information and the advantage that flowed from it was obtained through dishonesty.
In the context of a medical practitioner, this could include taking patients' details with the intention of contacting them either during or after leaving the practice and encouraging them to see the practitioner at their new practice.
It is important to bear in mind that the scope of what constitutes confidential information can be broadened by the terms of an employment contract.
That said, medical practitioners must also consider their professional and ethical obligations to patients when leaving a practice. This would include ensuring appropriate arrangements have been made for a patient's ongoing care. It would therefore be reasonable to inform patients that the practitioner is leaving the practice and to assist in facilitating arrangements for ongoing care, as opposed to actively soliciting patients and encouraging them to see the practitioner at their new practice.
In contrast, independent contractors do not owe a fiduciary duty to their principals, so the obligations owed to a former principal, in the absence of a written agreement, are less onerous. However, the Courts still may provide remedies to prevent unauthorised use of information, if it is found that the information was confidential, it was disclosed in circumstances indicating an obligation of confidence and damage or loss was suffered as a result of the information being disclosed or used.
MDA National recommends that Members exercise extreme caution if you consider that there is a possibility that you might use confidential information obtained from your former practice. If an issue arises, please contact MDA National for advice.
1 Independent Contractors and Employees – Fact Sheet, Australian Government, Fair Work Ombudsman Website- www.fairwork.gov.au.
2 [2011] FWA 7953
3 Spotless Group Ltd v Blanco Catering Pty Ltd (2011) 93 IPR 235
Location:
Sydney NSW, Australia
Wednesday, 8 May 2013
Sydney City Medical Centre owner Roselyn Singh suspect in identity theft
> The Roselyn Singh File
In February 2013, Sydney City Medical Centre owner Dr Roselyn Singh PhD, MBA, BCom (Hons), lodged a vexatious complaint with the NSW Health Care Complaints Commission (HCCC), against a competitor medical centre owner using an identity she stole from another competitor.
The extent of the use of the competitors identity, is unknown. However it can be revealed the identity has been used by Singh, since early 2012. It is also alleged Singh used other identities to intimidate competitor medical centre owners and staff.
Singh's fraudulent behaviour and intimidation of competitors doesn't end there. Complaints have been lodged against Singh with Police, ASIC, ACCC and Fair Trading for identity theft, false accusations causing an investigation, data and IP theft, misleading and deceptive conduct and passing off. Singh routinely lists competitor practices on her website including their addresses however with a different phone number. Callers are then redirected to Active Muscle and Spine at 300 George Street owned by an associate of Singh and Sydney City Medical which is owned by one of Singh's companys' UTSG Consortium Pty Limited (under administration).
In one of the largest ever reported personal information thefts in the medical industry, one of the centres listed on Singh's website had most of its patient data base compromised and IP stolen in a series of systematic frauds orchestrated by Singh and ex-employees of the centre listed.
Police, ASIC, ACCC and Fair Trading have so far failed to ignite an investigation into Singh or her associates. Fraud Police maintain lodging a false complaint using a stolen identity is not a crime and they have no legislative powers to charge Singh or her associates with data theft. In addition a Fair Trading insider explained, "it is not significantly important enough for us to investigate". Another example of Small Business being let down by authorities despite a clear mandate to investigate and prosecute business owners making false and misleading claims
Inquiries, by Data Theft, into Singh’s profile, appearing on Linkedin (Google search ‘Roselyn Singh PhD’), have failed to validate her publicised credentials. The University of Sydney, listed by Singh, has no record of her having studied for a PhD, MBA or BCom (Hons). Singh's present employers Deloitte and PwC, listed by Singh on her Linkedin profile, have been unable to locate her on their payroll records.
Roselyn Singh also owns VHealth Plus and has been President of Miss Earth Australia (since 2013). Both these organisations are located at 40 Park Street Sydney.
Singh's claims, published on her websites and various other websites, her medical centres and Miss Earth Australia are not-for-profit entities supporting various charities and foundations also remain unsupported by any discoverable evidence. None of Singh's entities are registered with ACNC.
Despite an independant Police report indicating Singh should be investigated, evidence and witnesses the HCCC have refused, without explanation, to lodge a complaint with Police against Singh for using a stolen identity to provide false information about a doctor causing an investigation, a crime under the Health ACT 2002 and the Crimes Act 1900. Complaints to the Health Minister, The Hon Jillian Skinner, have been redirected back to the HCCC and APHRA. APHRA will not investigate Singh because she is not a practicing health care professional.
Do you know more?
If you have information about Singh's interesting conduct or are a victim of one of Singh's scams Contact us
Labels:
data theft,
datatheft,
identity fraud,
identity theft,
misleading and deceptive conduct,
roselyn singh
Location:
Sydney NSW, Australia
Sunday, 20 January 2013
Get Out of Jail Free Card for Healthcare Workers
There is a duty for care and privacy, for all patients, which needs to be respected by healthcare professionals, the professional associations they are members of, the Australian Health Practitioner Regulation Agency (APRHA), its sub-boards and all health facilities.
Any violation of these considerations, by a health professional, breaches the confidence of patients, APHRA, its sub-boards, professional health associations and employer health facilities.
The community expects more from Government Regulatory Bodies than turning a blind eye to morally bankrupt behaviour by healthcare workers they are commissioned to regulate. Serious breaches of privacy should attract appropriate penalties.
Under recent amendments to the Privacy Act (Privacy Amendment - Enhancing Privacy Protection Bill 2012) data theft by healthcare professionals could be regarded as serious and at the discretion of the Privacy Commissioner the employer (Medical Centre) could be heavily fined yet the data thief goes free.
Currently APHRA and its sub-boards position, on this type of behaviour, falls well short of the expectations of the community and all businesses who employ health professionals.
Theft of restricted data and removal without the authority of patients breaches the Privacy Act apart from any other contractual arrangements between employers and health professionals.
The breach of confidence with the medical centre by a healthcare professional, due to data theft, is a commercial matter and can be dealt with in the civil courts if the ex-employer has the financial means, after the data theft, to sue for loss and damages.
However the immunity from prosecution by Police, currently afforded to employed health professional data thieves, due to lack of legislative powers to prosecute and the blind eye approach by APHRA and its various sub-boards does little to instil confidence in the community. Patients have every right to expect their private and confidential information remain safe and secured as required under the Privacy Act and as indicated in most health facility privacy policies.
A recent data theft event, covered on Data Theft Australia, was a mult-million dollar fraud, effecting patients right to privacy and continuing care, closed down one of Sydney's largest and most advanced sports injury centres and saw experienced staff laid off right on Christmas.
APHRA and The Chiropractic Council of NSW in consultation with the Healthcare Complaints Commission resolved to take no action against the perpetrators of this fraud effecting thousands of patients, health centre employees, the community at large and the business owners. To our knowledge these bodies have never prosecuted a healthcare worker for data-theft and / or breaching the privacy of patients.
Ethically challenged Healthcare workers have effectively been given a get out of jail free card to commit major fraud, steal patient data and remove it from healthcare facilities without patients written authority, a current requirement under the Privacy Act as it relates to patient medical files however is unenforceable in cases of data theft by employees.
This freedom should be a major concern for all patients attending any health facility anywhere in Australia and contradicts the rhetoric propagated recently by the previous Attorney General Nicola Roxon and the Privacy Commissioner Timothy Pilgrim about new privacy powers.
Currently the Privacy Amendment - Enhancing Privacy Protection Bill 2012 does not cover any employed person, who steals data from their employers, yet subjects the employer, at the discretion of the Privacy Commissioner, to potentially huge fines for breaches of privacy while the ex-employee data thief remains immune from prosecution.
Any violation of these considerations, by a health professional, breaches the confidence of patients, APHRA, its sub-boards, professional health associations and employer health facilities.
The community expects more from Government Regulatory Bodies than turning a blind eye to morally bankrupt behaviour by healthcare workers they are commissioned to regulate. Serious breaches of privacy should attract appropriate penalties.
Under recent amendments to the Privacy Act (Privacy Amendment - Enhancing Privacy Protection Bill 2012) data theft by healthcare professionals could be regarded as serious and at the discretion of the Privacy Commissioner the employer (Medical Centre) could be heavily fined yet the data thief goes free.
Currently APHRA and its sub-boards position, on this type of behaviour, falls well short of the expectations of the community and all businesses who employ health professionals.
Theft of restricted data and removal without the authority of patients breaches the Privacy Act apart from any other contractual arrangements between employers and health professionals.
The breach of confidence with the medical centre by a healthcare professional, due to data theft, is a commercial matter and can be dealt with in the civil courts if the ex-employer has the financial means, after the data theft, to sue for loss and damages.
However the immunity from prosecution by Police, currently afforded to employed health professional data thieves, due to lack of legislative powers to prosecute and the blind eye approach by APHRA and its various sub-boards does little to instil confidence in the community. Patients have every right to expect their private and confidential information remain safe and secured as required under the Privacy Act and as indicated in most health facility privacy policies.
A recent data theft event, covered on Data Theft Australia, was a mult-million dollar fraud, effecting patients right to privacy and continuing care, closed down one of Sydney's largest and most advanced sports injury centres and saw experienced staff laid off right on Christmas.
APHRA and The Chiropractic Council of NSW in consultation with the Healthcare Complaints Commission resolved to take no action against the perpetrators of this fraud effecting thousands of patients, health centre employees, the community at large and the business owners. To our knowledge these bodies have never prosecuted a healthcare worker for data-theft and / or breaching the privacy of patients.
Ethically challenged Healthcare workers have effectively been given a get out of jail free card to commit major fraud, steal patient data and remove it from healthcare facilities without patients written authority, a current requirement under the Privacy Act as it relates to patient medical files however is unenforceable in cases of data theft by employees.
This freedom should be a major concern for all patients attending any health facility anywhere in Australia and contradicts the rhetoric propagated recently by the previous Attorney General Nicola Roxon and the Privacy Commissioner Timothy Pilgrim about new privacy powers.
Currently the Privacy Amendment - Enhancing Privacy Protection Bill 2012 does not cover any employed person, who steals data from their employers, yet subjects the employer, at the discretion of the Privacy Commissioner, to potentially huge fines for breaches of privacy while the ex-employee data thief remains immune from prosecution.
Labels:
breach of confidence,
cyber crime,
data theft,
data theft by healthcare professionals,
Nicola Roxon,
OAIC,
Privacy Amendment - Enhancing Privacy Protection Bill 2012,
Privacy Commissioner,
Timothy Pilgrim
Location:
Sydney NSW, Australia
Roselyn Singh Conspires with Ex-employees to Steal Patient Files
The theft of patient's personal information, by Sydney City Medical Centre owner Roselyn Singh and ex employees of a long established competitor sports injury centre, had many affected patients complaining about security and Active Muscle & Spine, the business where their information was moved to.
Under the guidelines of the Privacy Commissioner (OAIC) all affected patients were notified immediately it became clear their was a breach of their personal information. The breach notification caused hundreds of patients to call the sports injury centre worried about the extent of personally identifying information, credit card information and patient records (medical history) removed without their authority.
The fraud report to Police outlined a well organised conspiracy, involving the director of Chiropractic, who had worked at the sports injury centre for over 14 years, other ex-employees and prolific fraudster Roselyn Singh, to hack a secured system to steal the patient database and IP. Using fear of losing their jobs and access to their patients as motivation Roselyn Singh and the Chiropractor also convinced most of the remaining professional staff to leave and work at their centres 'Active Muscle & Spine' and 'Sydney City Medical'.
Other employees and effected patients, many of whom had never had a consult with any of the ex-employees involved in the data theft, wondered how they were able to compromise their information given the high level of security used to protect patient files.
The sports injury centre provided concerned patients with an explanation of the security measures used to conceal restricted personal information and a screenshot of their patient file which clearly indicates all identifying information is marked "private" and could not be viewed or accessed by any healthcare professionals. Patients were directed to lodge complaints with the OAIC.
After receiving a barrage of SMS's and emails from Active Muscle and Spine patients contacted them to ask how they were able to get their information particularly as they had never had a consultation with them nor ever booked an appointment with them.
Following is one of the emails sent to concerned patients by the chiropractor primarily involved in organising the data theft:
Active Muscle & Spine
300 George Street
Sydney NSW 2000
Dear [patient name]
Thank you for your email and I apologise for any inconvenience our correspondence may have caused.
I contacted you as our records show you are a patient of [name of healthcare professional], a practitioner of mine when we practised at my previous clinic - [name of Medical Centre - removed by Data Theft].
[Sports Injury Centre] is a Serviced Office and as part of their front desk service, they collected patient contact information on my behalf.
Contact information is collected when a patient makes an initial booking with a practitioner.
I hope this helps to explain your query and if you have any further questions, please don't hesitate to contact me.
Regards
Name [name removed by Data Theft]
Active Muscle & Spine
The email is both misleading and deceptive. The sports injury centre is not a serviced office and at no time had the patients receiving this explanation ever been booked to see any of the ex-employees now working with the author of the email. The patients receiving this email were patients of colleagues who still worked at his ex-employers centre.
The emails author had been employed as a chiropractor to see the sports injury centre's patients and only the patient name, date of birth and patient record (medical history) was available to him and not, as stated by him, patient contact information or any other restricted personal data as indicated in the screenshot of patients files. No information was ever collected on his or any other employees behalf. All forms collecting restricted information are owned by the sports injury centre and are not seen or available to healthcare professionals.
Patients rarely ring and ask for a specific practitioner unless they are an existing patient or have been referred. Most new patients are referred by the centres front desk to the healthcare professional who is best able to deal with their specific health issue and available when the patient can attend an appointment.
The emails author and someone engaged by him, hacked the restricted area of the patient database misusing the authors login to obtain 'personally identifying information' and remove it without the authority management or patients, compromising the privacy of patients and breaching his contract with the sports injury centre.
After the data and IP theft from the sports injury centre and another competitor medical centre, also located in Sydney's CBD, Roselyn Singh added their business names and addresses to her own Sydney City Medical website to mislead and deceive patients. Patients calling the phone numbers listed beside the addresses were redirected to Active Muscle and Spine and Sydney City Medical. Singh also listed staff of the affected centres to assist in misleading patients searching for their practitioners by name. None of the practitioners listed (image below redacted for privacy) ever worked for Sydney City Medical or Active Muscle and Spine.
The redacted image below indicates how the affected centres and practitioners were listed on Singh's website and also shows Roselyn Singh passing herself off as having a doctorate and other tertiary qualifications.
Complaints to ASIC and Fair Trading for passing off and misleading and deceptive conduct have never been investigated.
Complaints by affected patients to the OAIC were dismissed by an OAIC investigator and the file closed with no action to be taken against Roselyn Singh or any of the ex-employee data thieves despite compelling evidence the thieves had stolen their personal information and lied to the investigator. Dissatisfied complainants were redirected to the Ombudsman by the OAIC investigator.
An extremely worrying circumstance is Roselyn Singh has been reported to Police and the HCCC for identity theft and Medicare Fraud yet Fraud Police, HCCC nor any other authority have so far investigated her. Even an independant Police report indicating Singh should be investigated has not raised an eyebrow with various State or Federal authorities.
Complainants reporting the thefts to NSW Fraud Police were told Roselyn Singh nor her associates could be charged with any crime. Complaints to the Health Minister, The Hon Jillian Skinner, were referred to Section 308H of the Crimes Act and for complainants to lodge a report to Police, HCCC and APHRA. Despite this reference Police have no legislative powers to charge ex-employees who steal customer lists, patient files or IP. Complaints to APHRA and the HCCC went either unanswered or referred complainants to seek civil legal advice. One of the chiropractors involved in the thefts is a member of the executive committee of an association for chiropractors and osteopaths. A manager of another osteopathic association told complainants they could be sued for defamation.
The ex-employees working with Singh and involved in the conspiracy to commit fraud and the systematic theft of thousands of patient's files are not named here due to potential for legal proceedings against them. The series of systematic data thefts, by Singh and these ex-employees followed a similar event at the same centre currently waiting a decision from the Supreme Court.
Ref: Police Fraud Report - Event Number E52384988
Under the guidelines of the Privacy Commissioner (OAIC) all affected patients were notified immediately it became clear their was a breach of their personal information. The breach notification caused hundreds of patients to call the sports injury centre worried about the extent of personally identifying information, credit card information and patient records (medical history) removed without their authority.
The fraud report to Police outlined a well organised conspiracy, involving the director of Chiropractic, who had worked at the sports injury centre for over 14 years, other ex-employees and prolific fraudster Roselyn Singh, to hack a secured system to steal the patient database and IP. Using fear of losing their jobs and access to their patients as motivation Roselyn Singh and the Chiropractor also convinced most of the remaining professional staff to leave and work at their centres 'Active Muscle & Spine' and 'Sydney City Medical'.
Other employees and effected patients, many of whom had never had a consult with any of the ex-employees involved in the data theft, wondered how they were able to compromise their information given the high level of security used to protect patient files.
The sports injury centre provided concerned patients with an explanation of the security measures used to conceal restricted personal information and a screenshot of their patient file which clearly indicates all identifying information is marked "private" and could not be viewed or accessed by any healthcare professionals. Patients were directed to lodge complaints with the OAIC.
Following is one of the emails sent to concerned patients by the chiropractor primarily involved in organising the data theft:
Active Muscle & Spine
300 George Street
Sydney NSW 2000
Dear [patient name]
Thank you for your email and I apologise for any inconvenience our correspondence may have caused.
I contacted you as our records show you are a patient of [name of healthcare professional], a practitioner of mine when we practised at my previous clinic - [name of Medical Centre - removed by Data Theft].
[Sports Injury Centre] is a Serviced Office and as part of their front desk service, they collected patient contact information on my behalf.
Contact information is collected when a patient makes an initial booking with a practitioner.
I hope this helps to explain your query and if you have any further questions, please don't hesitate to contact me.
Regards
Name [name removed by Data Theft]
Active Muscle & Spine
The email is both misleading and deceptive. The sports injury centre is not a serviced office and at no time had the patients receiving this explanation ever been booked to see any of the ex-employees now working with the author of the email. The patients receiving this email were patients of colleagues who still worked at his ex-employers centre.
The emails author had been employed as a chiropractor to see the sports injury centre's patients and only the patient name, date of birth and patient record (medical history) was available to him and not, as stated by him, patient contact information or any other restricted personal data as indicated in the screenshot of patients files. No information was ever collected on his or any other employees behalf. All forms collecting restricted information are owned by the sports injury centre and are not seen or available to healthcare professionals.
The emails author and someone engaged by him, hacked the restricted area of the patient database misusing the authors login to obtain 'personally identifying information' and remove it without the authority management or patients, compromising the privacy of patients and breaching his contract with the sports injury centre.
After the data and IP theft from the sports injury centre and another competitor medical centre, also located in Sydney's CBD, Roselyn Singh added their business names and addresses to her own Sydney City Medical website to mislead and deceive patients. Patients calling the phone numbers listed beside the addresses were redirected to Active Muscle and Spine and Sydney City Medical. Singh also listed staff of the affected centres to assist in misleading patients searching for their practitioners by name. None of the practitioners listed (image below redacted for privacy) ever worked for Sydney City Medical or Active Muscle and Spine.
The redacted image below indicates how the affected centres and practitioners were listed on Singh's website and also shows Roselyn Singh passing herself off as having a doctorate and other tertiary qualifications.
Complaints to ASIC and Fair Trading for passing off and misleading and deceptive conduct have never been investigated.
Complaints by affected patients to the OAIC were dismissed by an OAIC investigator and the file closed with no action to be taken against Roselyn Singh or any of the ex-employee data thieves despite compelling evidence the thieves had stolen their personal information and lied to the investigator. Dissatisfied complainants were redirected to the Ombudsman by the OAIC investigator.
An extremely worrying circumstance is Roselyn Singh has been reported to Police and the HCCC for identity theft and Medicare Fraud yet Fraud Police, HCCC nor any other authority have so far investigated her. Even an independant Police report indicating Singh should be investigated has not raised an eyebrow with various State or Federal authorities.
Complainants reporting the thefts to NSW Fraud Police were told Roselyn Singh nor her associates could be charged with any crime. Complaints to the Health Minister, The Hon Jillian Skinner, were referred to Section 308H of the Crimes Act and for complainants to lodge a report to Police, HCCC and APHRA. Despite this reference Police have no legislative powers to charge ex-employees who steal customer lists, patient files or IP. Complaints to APHRA and the HCCC went either unanswered or referred complainants to seek civil legal advice. One of the chiropractors involved in the thefts is a member of the executive committee of an association for chiropractors and osteopaths. A manager of another osteopathic association told complainants they could be sued for defamation.
The ex-employees working with Singh and involved in the conspiracy to commit fraud and the systematic theft of thousands of patient's files are not named here due to potential for legal proceedings against them. The series of systematic data thefts, by Singh and these ex-employees followed a similar event at the same centre currently waiting a decision from the Supreme Court.
Ref: Police Fraud Report - Event Number E52384988
Labels:
breach of confidence,
breach of privacy,
cyber crime,
data theft,
data theft by healthcare professionals,
OAIC,
Privacy Amendment - Enhancing Privacy Protection Bill 2012,
Privacy Commissioner,
roselyn singh
Location:
Sydney NSW, Australia
Subscribe to:
Posts (Atom)