Global credit-card and payment processor TSYS said Friday that the personal data of more than 5,200 of its current and former employees was stolen earlier this month by an employee of a third-party administrator of its health-care plans.
The Columbus-based company said a Paragon Benefits worker — who has been fired by Paragon — emailed the names, addresses, birth dates and Social Security numbers of 5,247 individuals to his or her personal email account. State and federal authorities are investigating the incident, the company said.
TSYS, which does business around the world, stressed no information of its various clients and their customers — including banks and retailers — has been stolen, or “misappropriated,” as the company termed it.
The company also said no specific health information of the affected current and former TSYS employees had been compromised.
TSYS said the stolen digital file contained the information of employees in the U.S. The company said about 1,000 former staffers and 11 family members of the employees had their data compromised. It does not include those working with TSYS subsidiaries NetSpend, ProPay and CentralPayment.
“I personally apologize to our team members for this unfortunate incident, and TSYS will aggressively assist and support our team members with issues that may arise as a result of this theft,” said TSYS Chairman and Chief Executive Officer Phil Tomlinson.
Paragon Benefits is headquartered on Bus Park Drive, off Gateway Road, in northeast Columbus. It manages self-funded health-care plans, which is typically the manner in which large companies offer insurance coverage to employees.
Paragon has been doing business nearly 30 years, according to its website, which also says the company specializes in “Bringing you clarity in this dysfunctional industry,” a reference to the evolving health-care industry.
Dan Thomason, president and chief executive officer of Paragon Benefits, in a statement, apologized to TSYS and those workers whose sensitive data was pilfered. He also said the employee suspected of stealing the information is no longer with the company.
“It is troubling and disappointing that someone associated with our company would compromise the privacy of our clients and violate our trust,” Thomason said. “Data security is a priority for Paragon Benefits. We acted swiftly and decisively when we found out someone had misappropriated sensitive client information. We immediately contacted law enforcement to begin an investigation into the matter and are cooperating fully.
TSYS spokesman Cyle Mims said his company would have no further comment on the situation.
The company did say it replaced Paragon with Anthem as the third-party administrator of its health plans at the beginning of this year. But Paragon still has been processing any remaining medical claims from 2012.
The credit-card processor, headquartered in downtown Columbus, said it is notifying all active TSYS workers initially by email, letting them know if their data was on the file. All of those whose information was stolen, including the retirees, also will be sent a letter with more information. Those were to be mailed Friday.
TSYS said it will offer free identity theft protection, including credit monitoring and fraud alerts, to those affected by the incident. The protection will be through Equifax.
“We do not have any information about the subsequent use of this information,” TSYS said in a fact sheet sent to employees. “No banking, credit card, medical, pharmacy, health care treatment, diagnosis or payment information regarding any TSYS team member or dependent was stolen.”
TSYS said Paragon informed it of the incident on Sept. 11. Law enforcement was notified immediately, with state and federal authorities becoming involved. It said Paragon also has hired its own forensics company to review the data theft.
TSYS said it waited to tell employees of the incident after it “had confirmed the facts and identified the affected team members.”
The company said the type of information stolen by the former Paragon employee can be used to take out bogus credit cards or file fake income tax returns.