Hopkins notifies 135,000 of data loss

The Baltimore Sun

Johns Hopkins began notifying thousands of university employees and hospital patients yesterday that backup computer tapes containing personal information about them - some of it sensitive - have been missing for seven weeks.

Hopkins officials said they believe the data, which did not include patient medical information, wasn't compromised.

Still, two regulatory agencies that oversee hospitals are discussing whether to investigate Hopkins' security practices amid concerns of identity theft.

Eight university computer tapes, routinely sent to a contractor that makes microfiche archives of the data, held Social Security numbers, addresses and direct-deposit bank account information for 52,567 former and current employees.

A separate tape from the hospital had names, dates of birth, sex, race and medical record numbers for 83,000 new hospital patients seen between July 4 and Dec. 18, 2006, or those who updated their information during that period.

Hopkins officials said an "intensive investigation" by their staff as well as that of the contractor, Anacomp Inc., suggests that the tapes were likely misplaced by a courier, collected as trash and incinerated.

"Our best information is that the tapes have been destroyed. Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorized hands," Hopkins University President William R. Brody said in a statement, apologizing for the incident.

"We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again," he said.

The hospital's relationship with Anacomp, based in San Diego, is also under review, and data shipments have been suspended.

According to Anacomp's Web site, "thousands of businesses and organizations worldwide" as well as the "majority of the Fortune 500" use its services to manage their documents and information technology equipment.

The company declined to comment beyond a statement reiterating Hopkins' findings.

"At no time do we believe the information on the tapes was accessed and we are virtually certain that the tapes were destroyed," Anacomp's statement read.

The news is reminiscent of other recent high-profile data losses, including last year's Veterans Affairs incident, in which the Social Security numbers of 26.5 million people were compromised in the burglary of an employee laptop.

Last summer, compact discs containing Social Security numbers and other personal data for patients at 12 Illinois and Indiana hospitals were missing for three days.

And a congressional report released in October said federal workers at 19 agencies have lost personal information affecting thousands.

Such events have led Maryland lawmakers to craft legislation this year that would allow residents to block access to their credit reports.

At Hopkins yesterday, employees said they understand that mistakes happen, but they expressed concern over why it took so long for the situation to come to light.

"I have no idea why they waited weeks to tell us that our private records have been violated," said Melody Higgins, a Hopkins nurse specializing in AIDS clinical trials. She got an e-mail yesterday morning alerting her to the situation.

"I mean, we could have put the fraud alert on our credit reports weeks ago," Higgins said. "I really don't understand what they were thinking waiting so long."

In a fact sheet distributed to employees, Hopkins officials addressed the question of why the loss wasn't reported sooner. The sheet noted the complexity of having both hospital and university data missing, as well as the time it took to identify affected parties and prepare contact data.

"Johns Hopkins began an aggressive investigation upon learning that some tapes were not returned," the sheet reads. "It has taken time for all the facts to become clear."

A spokeswoman emphasized those points in a telephone interview yesterday.

"If we didn't [take the time to gather the information], then we would have been misinforming people or not informing them to the extent that they should be," said Hopkins spokeswoman Joann Rodgers.

Privacy laws in seven states with affected people - New York, Hawaii, Louisiana, Maine, New Hampshire, New Jersey and North Carolina - required that Hopkins inform them of the breach.

Also notified were several regulatory bodies.

The state Office of Health Care Quality within the Department of Health and Mental Hygiene, which regulates hospitals and protects consumers, said it was seeking more preliminary information about the records before deciding whether to begin investigating the incident.

The agency has the power to launch, unannounced, an investigation, which could include searching files at Hopkins and interviewing employees and patients. Its powers range from writing deficiency reports to revoking licenses. More recently, it acquired the power to fine institutions for serious and uncorrected problems.

"But I seriously doubt any licenses are going to be revoked in this case," said Wendy Kronmiller, the agency's director. "It's not something at all likely to happen."

The Joint Commission, formerly the Joint Commission on Accreditation of Healthcare Organizations, said through a spokeswoman that it had just learned about the losses at Hopkins.

"We are looking at the information to determine what our next steps will be," Charlene Hill said.

Among the commission's options, she said, would be to contact Hopkins for more information, to send a team of surveyors to investigate and to monitor Hopkins to see whether the loss represents some kind of trend.

"We'll await their inquiry, if any," said Rodgers, the Hopkins spokeswoman.

Hopkins recommended that concerned employees monitor their accounts for unusual activity via free annual credit reports or request "fraud alerts," as Higgins intends. Such alerts are made by contacting one of three major credit bureaus (Experian, Equifax, TransUnionCorp), which then informs the others. The alerts signal the bureaus to notify the consumer if someone tries to open a new credit line in his name.

Hopkins officials didn't realize anything was amiss until Jan. 18. That's when they learned that the eight tapes of information about university employees from all divisions except the Applied Physics Laboratory were never returned. Those tapes were sent out for microfiche processing Dec. 21. On Jan. 26, internal investigators discovered that a ninth tape containing patient names and birth dates was also missing.

Investigators have concluded that the tapes were likely left behind at a shipping area stop along the courier's route. The site is "generally full of boxes, which are placed in a dumpster," Hopkins said, leading officials to believe the tapes have been discarded.

The tapes require special equipment to be read, though they weren't encrypted, which troubles some privacy rights advocates.

"This breach would be a non-issue if the tape had been encrypted," said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse.

"It's the type of information and the type of data that is very sensitive. If this tape got into the wrong hands, they would have a treasure trove of sensitive personal information, enough to commit identity theft on many individuals and also sell the data on the black market," Givens said.

"This is Johns Hopkins, right? A leader in computer technology and education on that subject, so [there's] kind of an irony here."

Hopkins said it hasn't encrypted in the past but plans to do so from now on.

The fact that the data can be read only by special equipment should be of some comfort, said Joy Pritts, a health policy analyst at Georgetown University.

"This isn't the sort of information you can take home and download onto a personal computer," Pritts said, adding that patient data lost are unlikely to pose much risk.

Hopkins officials are in the process of sending letters to all affected employees and patients. They also have set up a Web site for further information at www.jhu.edu/identityalert and an information line at 800-981-7524.

tricia.bishop@baltsun.com

Sun reporter Todd Richissin and the Associated Press contributed to this article.

Data loss

Johns Hopkins said the loss of eight computer tapes containing sensitive university employee data and one tape containing generic hospital patient information poses very little risk of identity theft. Still, university and hospital officials offer these protection suggestions for those concerned:

Monitor your accounts by obtaining a free credit report

Alert your bank to the situation, so it can watch for suspicious activity

Issue a "fraud alert" by contacting one of the three credit bureaus:

Equifax:

800-525-6285; www.equifax.com

Experian:

888-397-3742; www.experian.com

TransUnion:

800-680-7289; www.transunion.com

For more information, go to www.jhu.edu/identityalert, or call 800-981-7524.[ Johns Hopkins, the Federal Trade Commission]

Copyright © 2021, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad
72°