With all the news of major corporate data breaches, it’s easy to forget that the “old fashioned” methods still work when it comes to identity theft. We might envision highly-skilled hackers using their tech skills to break into a system, but sometimes, it’s far simpler than that.

That’s the case for Montefiore Medical Center, a New York hospital that suffered an internal data breach over a period spanning 2012 and 2013. An employee with access to patient information stole the personal data of more than 12,000 individuals during that time, then sold the information to a ring of ID thieves. Sometimes, the price for the information was as little as three dollars per patient.

The recipients of the stolen information used it to open new lines of credit at some of the higher end retail chains in New York, such as Saks Fifth Avenue, Lord & Taylor, and Barneys. Altogether, eight individuals have been indicted for what has amounted to at least $50,000 in illegal purchases, including the hospital employee and seven co-defendants.

It’s important to remember that there is such a thing as an accidental internal data breach, which occurs when an employee lets sensitive information leave the company’s control but do so without any harmful intent. It can be something like losing a laptop or flash drive, leaving a password protected computer unattended, or other similar instances.

Whether intentional or accidental, how can consumers protect themselves from an internal data breach?

If an employee is determined to mine your data for malicious purposes, there’s not a lot you can do to prevent it. Face it, there are simply some situations that require your personal identifiable information. But you can be careful of what data you share about yourself and make sure that the person who’s receiving it absolutely needs it.

Social Security numbers, for instance, are not allowed to be used as identification numbers, so ask yourself why a school, day care center, or doctor’s office really needs it before you turn it over. The same holds true of your spouse’s information; as the patient you will need to provide your health insurance card which can then be used to uncover your Social Security number, but why does the form ask for all of your spouse’s personal information? It’s simply not required.

Once a breach occurs, it’s important to follow up with the steps to protect yourself as they’re outlined in the notification you receive. If the company is paying for credit monitoring, don’t ignore that. Of course, the best way to head off any problems before you’re even notified is to keep a close watch on your credit reports throughout the year, and report any suspicious activity.