A non-profit that promises to protect victims' privacy could not prevent a staffer from accessing hundreds of case files with sensitive information like Social Security numbers and dates of birth.
Safe Horizon, a city-funded refuge for victims of crime and domestic abuse, is working to notify nearly 600 current and former clients that a convicted identity thief may have accessed their personal information.
"The idea that any employee of ours would violate that trust was appalling to us," said Liz Roberts, Safe Horizon's Deputy CEO.
According to Nassau County Police, Petal Foster, a former supervisor who worked at a Safe Horizon Brooklyn location, stole the identity of an elderly client and used it to try and buy a vehicle worth $43,000.
"Her credit score was not good enough to secure that loan, at which time she used the victim's information as the co-signer on that loan," said Richard Harasym, the commanding officer of the Nassau County Police Crimes Against Property Squad.
Roberts said Safe Horizon is now working with information security experts to make sure client case files are protected in the future. But she suggested that could be challenging because supervisors like Foster need to be able to access client files.
One former Safe Horizon client, who asked to remain anonymous, said she doesn't believe she consented to anyone reviewing her private information beyond the specific case worker she spoke to.
"It's horrible," she said. "I assumed it would only be the person I was working with."
Despite that concern, the former client endorsed Safe Horizon's core mission: to help victims of abuse and crime in some of the scariest, most challenging moments of their lives.
"What they're doing and the people they're serving is important," she stressed.
As Safe Horizon re-examines IT security, the agency is also retraining staff and looking at its background check process.
Roberts said Foster passed a background check but conceded the former employee did have minor run-ins with the law in the past.
"She had some kind of history. It was not significant. It was not the same kind of history," Roberts said.
"There is nothing that emerged that would have prevented her from being hired."
Earlier this month, Foster pleaded guilty to impersonating the elderly victim and was sentenced to five years probation. Attempts to contact her for comment were unsuccessful.
Foster had already been dismissed from her employment at Safe Horizon for unrelated reasons when the identity theft allegation surfaced last October.
Nine months later, Safe Horizon staff members are still trying to reach out to current and former clients who may have been compromised. In many cases, the process is made more difficult because the agency must be sensitive to the fact that many abuse victims don't tell their families they've sought services.
"They may be in a situation that is unstable or where they continue to face risk in their lives so we didn't want people to get a letter from Safe Horizon out of the blue with this kind of troubling information," Roberts said.
If you are a former or current Safe Horizon client with questions about the identity theft breach, you can email firstname.lastname@example.org.