When he saw weekend news reports that a computer containing the personal records of 5,783 cancer patients had been stolen from Johns Hopkins Hospital, attorney Michael Mastracci knew exactly where to find it.
"I knew about it weeks ago," he said of the computer. "Before I saw the news, I didn't know what was on the computer. But when I saw the stories, I knew immediately that that was the computer I'd heard about. "
By early Sunday afternoon, he had arranged to have the computer brought to his Catonsville law office. He called The Sun, which had reported the theft Saturday, to find out whom to contact at Hopkins to return the hottest desktop in town.
"I have access to that computer, and I can put it in the university's hands," Mastracci told a reporter. "I am anxious to return it to those souls who feel violated."
Hopkins officials reclaimed the computer that afternoon. Yesterday, they confirmed that it was the machine they were looking for and that none of the patients' personal records appeared to have been accessed for use in identity theft.
Mastracci said he first learned of the missing computer three weeks after it was stolen July 15 from an administrative building on Hopkins' main campus.
A person whom Mastracci declined to name, based on attorney-client privilege, contacted him for legal advice on returning the missing computer to Hopkins.
"It was not stolen with the knowledge that there was a big patient database on it and that that could be sold for money," Mastracci said.
Mastracci met with the person who contacted him, recommending that the computer be returned as quickly as possible. Initially, the lawyer said, the plan was to have a private investigation firm return the machine on behalf of his client. But the client needed time to raise money to pay the firm.
Meanwhile, Hopkins security officials and city police were searching for the missing computer.
Hopkins officials completed a police report Aug. 2 and sent out letters Aug. 24 notifying the patients and their families of the security breach. The letter said their Social Security numbers, birth dates, medical histories and other personal information were on the missing desktop.
The patients' records were part of a tumor registry database required by state law. The computer was password protected, but the records were not encrypted or password protected.
Based on video surveillance records, a Hopkins employee and the employee of an on-site vendor were implicated in the theft and issued criminal summonses, according to Hopkins officials. Baltimore police were unable to provide details yesterday about the identities of the people suspected in the theft.
Upon learning from news reports that the computer was the latest in a string of high-profile cases of people's personal data gone astray, Mastracci realized the stakes were higher than he had thought.
"I realized it was time to move, and I had to make a quick decision to move on it," he said. "I contacted [The Sun] because I knew you had been in contact with Johns Hopkins."
After contacting the paper's newsroom Sunday, Mastracci called Margaret R. Garrett, an attorney in Hopkins' legal affairs department, and informed her he had the computer. A Hopkins security officer arrived about 4 p.m. that day to retrieve the desktop.
Preliminary findings "strongly suggest" that the computer was never turned on while it was missing and that no one gained access to the database on its hard drive, according to a statement by Joann Rodgers, a Hopkins spokeswoman.
Hopkins plans to have an independent specialist in information technology search further for any evidence of an information breach. The hospital also plans to send letters with updated information to patients whose personal information was on the computer.
One of the patients, who asked to remain anonymous because of her condition, said a Hopkins official called her yesterday to tell her the computer had been returned. She was relieved by the news, saying, "I do feel better."
Mastracci said Hopkins officials contacted him Monday to thank him for arranging the computer's return. "I assured them, to the extent that I could be certain, that the data was not stolen as part of any identity theft scheme," he said.
Identity theft is becoming so common that he plans to expand his law practice to handle such cases. "It's going to be huge," he said. "It boggles your mind the ways people can get ripped off."