School of Nursing Stolen Tapes, Private Information on 8,585
Technorati Tag: Security Breach
Date Reported:
9/14/07
Organization:
University of Michigan
Contractor/Consultant:
School of Nursing
Victims:
Hospital and school patients
Number Affected:
8,585
Types of Data:
Name, address, medical information and Social Security number
Breach Description:
Tapes were stolen from a locked box inside a locked room at the North Ingalls Building used by the University of Michigan School of Nursing. The tapes were stolen over the weekend of September 7th and contained sensitive patient data on more that 8,000 individuals.
Reference URL:
MLive-Ann Arbor News
Michigan Daily News
Report Credit:
Dave Gershman, The Ann Arbor News
Response:
From the online resources mentioned above:
"More than 8,000 former and current patients of two clinics affiliated with the University of Michigan are being notified that computer tapes containing their personal information were stolen"
"The U-M is sending letters today to 4,513 people whose patient records included their names, addresses and medical information used in billing. Another 4,072 people will receive a different version of the letter because their records also included their Social Security numbers"
"The tapes can only be read with the right type of equipment."
[Comfyllama] Not much consolation. I am sure that the "right" equipment is easily obtainable somewhere.
"The records were those of patients who had visited two U-M Health System nurse-managed clinics in Ann Arbor - the Community Family Health Center at 1230 N. Maple Road and the North Campus Family Health Service at 2364 Bishop St."
"We are very protective of patient records and have a very secure environment, so it's very unfortunate and certainly unusual,'' she said." - Kallie Michels, director of public relations at the U-M Health System.
[Comfyllama] An overstatement and an understatement in the same statement!
"U-M has no further information on the identity or motivation of the thief or thieves. Diane Brown, a police spokeswoman, said there were no signs of forced entry into the office."
[Comfyllama] "Detective" Comfyllama says this may indicate an insider.
"One of the most important steps to take in cases of theft is quickly reporting it to the University's Information Technology Security Services office, said Paul Howell, the University's chief information technology security officer."
[Comfyllama] Paul Howell and the members of the University of Michigan ITSS are very experienced and well respected. I can only imagine the challenges his team faces every day. Often the very first actions following an incident can dictate the entire course of the investigation and response. Heed Mr. Howell's advice.
"Howell said even with an extensive security system in place, data theft can still occur."
[Comfyllama] True, so the best we try to do is mitigate the risk.
Commentary:
The University of Michigan has certainly experienced their share of security headaches over the past 12 months. As I stated earlier in this post, this breach really seems like an inside job.
Although these tapes appear to have been physically secure, they lacked the balance of logical security in the fact that they were not encrypted. Sensitive data at rest must be encrypted in order to protect it adequately, especially on mobile media such as tapes, laptops, CDs, DVDs, flash drives, etc. I am sure the University of Michigan ITSS already knows this, and may already do this in many places throughout the school. The University of Michigan is a very large computing environment that will only continue to get more secure.
Past Breaches:
July, 2007 - Two University of Michigan School of Education Databases Breached
November, 2006 - 1,300 U of M Students Affected by College of Engineering Breach
Slashdot It!
Date Reported:
9/14/07Organization:
University of Michigan
Contractor/Consultant:
School of Nursing
Victims:
Hospital and school patients
Number Affected:
8,585
Types of Data:
Name, address, medical information and Social Security number
Breach Description:
Tapes were stolen from a locked box inside a locked room at the North Ingalls Building used by the University of Michigan School of Nursing. The tapes were stolen over the weekend of September 7th and contained sensitive patient data on more that 8,000 individuals.
Reference URL:
MLive-Ann Arbor News
Michigan Daily News
Report Credit:
Dave Gershman, The Ann Arbor News
Response:
From the online resources mentioned above:
"More than 8,000 former and current patients of two clinics affiliated with the University of Michigan are being notified that computer tapes containing their personal information were stolen"
"The U-M is sending letters today to 4,513 people whose patient records included their names, addresses and medical information used in billing. Another 4,072 people will receive a different version of the letter because their records also included their Social Security numbers"
"The tapes can only be read with the right type of equipment."
[Comfyllama] Not much consolation. I am sure that the "right" equipment is easily obtainable somewhere.
"The records were those of patients who had visited two U-M Health System nurse-managed clinics in Ann Arbor - the Community Family Health Center at 1230 N. Maple Road and the North Campus Family Health Service at 2364 Bishop St."
"We are very protective of patient records and have a very secure environment, so it's very unfortunate and certainly unusual,'' she said." - Kallie Michels, director of public relations at the U-M Health System.
[Comfyllama] An overstatement and an understatement in the same statement!
"U-M has no further information on the identity or motivation of the thief or thieves. Diane Brown, a police spokeswoman, said there were no signs of forced entry into the office."
[Comfyllama] "Detective" Comfyllama says this may indicate an insider.
"One of the most important steps to take in cases of theft is quickly reporting it to the University's Information Technology Security Services office, said Paul Howell, the University's chief information technology security officer."
[Comfyllama] Paul Howell and the members of the University of Michigan ITSS are very experienced and well respected. I can only imagine the challenges his team faces every day. Often the very first actions following an incident can dictate the entire course of the investigation and response. Heed Mr. Howell's advice.
"Howell said even with an extensive security system in place, data theft can still occur."
[Comfyllama] True, so the best we try to do is mitigate the risk.
Commentary:
The University of Michigan has certainly experienced their share of security headaches over the past 12 months. As I stated earlier in this post, this breach really seems like an inside job.
Although these tapes appear to have been physically secure, they lacked the balance of logical security in the fact that they were not encrypted. Sensitive data at rest must be encrypted in order to protect it adequately, especially on mobile media such as tapes, laptops, CDs, DVDs, flash drives, etc. I am sure the University of Michigan ITSS already knows this, and may already do this in many places throughout the school. The University of Michigan is a very large computing environment that will only continue to get more secure.
Past Breaches:
July, 2007 - Two University of Michigan School of Education Databases Breached
November, 2006 - 1,300 U of M Students Affected by College of Engineering Breach
Slashdot It!
Posts Atom 1.0
Such news always make me laugh and make me wonder about the real motive behind the stolen tapes. Maybe there was a mal praxis case that needed a cover-up.
Reply to this