The state has alerted some 11,500 families enrolled in a program for low-income women and children to guard against credit fraud and identity theft, after a Health Department employee allegedly stole information from a client database.

Three families registered with the Women, Infants and Children program in Wahiawa have been confirmed as identity theft victims, said Dr. Chiyome Fukino, director of the Health Department.

The state is urging others in the Wahiawa WIC programs' database, which includes clients helped as far back as 1998, to place a fraud alert on their credit reports.

Officials say the case is the first of its kind involving a state agency. It has prompted the department to take a serious look at its record-keeping practices and has raised questions about sensitive information kept with other government offices and even nonprofit agencies.

"I think the real message here is anyone can be a target. It doesn't matter what your income level is," Fukino said.

"The fact of the matter is it's your credit rating that matters."

The WIC program supplies low-income pregnant women and children up to 5 years old with supplemental foods, nutrition counseling and health referrals. Participant families' earnings must be at or below 185 percent of the federal poverty level.

There are 39 WIC clinics statewide, serving 35,000 participants.

POLICE INVESTIGATING

Fukino said workers at the Wahiawa office started to investigate the case in mid- to late December, when a client inquired about a credit card opened in her name.

The office was listed as the billing address for the card.

Fukino said she was notified of the database breach on Jan. 12. The final batch of letters notifying families whose information was at risk was sent out Wednesday night, she said.

Police Capt. Frank Fujii confirmed that an identity theft investigation is under way in the case, but could not provide details. Fukino declined to say how long the accused employee has worked for the state Department of Health. The employee has been placed on leave.

Identity theft is one of the fastest-growing crimes in the Islands, and large databases of information are increasingly becoming targets. Though business records are more commonly hit, officials say it is not unheard of nationally for low-income clients of social service agencies to also become victims.

"It's just like any business," said Brian Schatz, chief executive officer of Helping Hands Hawai'i. "Whether for-profit or not-for-profit, there is always a chance of malfeasance."

Fukino said the Health Department has taken steps to guard against a repeat incident, but she stressed there is no way to protect against every possibility.

"A criminal mind can overcome even your most vigorous defenses," she said.

DATABASES SCRUTINIZED

When Fukino was alerted to the theft, she asked branch heads to scour their databases and weed out unneeded sensitive information that could fall into the wrong hands.

She also said WIC participants are no longer required to provide their Social Security numbers. Some WIC offices had already stopped taking the numbers to identify clients, she said.

He added most agencies no longer use the number as an identifier.

"Unless there's a specific reason under law that you need a Social Security number, a business or a government agency really shouldn't use a Social Security number," he said.

News of the breach comes just weeks after three new state laws to protect residents against identity theft went into effect. One law requires agencies to notify residents whose information has been compromised as quickly as possible, while another says agencies must take "reasonable measures" to guard against security breaches of their computer databases.

The third allows consumers to freeze their credit reports to protect against exploitation.

SECURITY PRECAUTIONS

As word of the WIC security breach got out yesterday, nonprofits that serve low-income clients reviewed their procedures for dealing with sensitive financial information.

Several said they have security measures to protect their clients, but they also say identity theft was never a primary concern for them.

"We do have background checks, we do have criminal record checks," said Salvation Army Hawai'i spokesman Daniel DeCastro. "We've made absolutely sure that every employee that comes to the Salvation Army comes through that screening."

But he acknowledged there is a high degree of trust afforded to those who access client databases, which are password protected. Background checks weed out those with a criminal past, he said, but "you cannot guess a person's intent in the future."