University of Miami reports stolen tapes affecting patients
Technorati Tag: Security Breach
Date Reported:
4/17/08
Organization:
University of Miami
Contractor/Consultant/Branch:
Archive America Ltd.
Victims:
Medical patients that visited university medical facilities since January 1st, 1999.
Number Affected:
"more than 2 million" (2,000,000+)*
*According to the ComputerWorld report. The University of Miami will be notifying 47,000 people whose data may have included credit card or other financial information regarding bill payment
Types of Data:
Names, addresses, Social Security numbers, health information, and credit card or other financial information
Breach Description:
"A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported."
Reference URL:
University of Miami announcement
The Associated Press via The Florida Times-Union
ComputerWorld
Report Credit:
The University of Miami
Response:
From the online sources cited above:
University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
[Evan] I'm not sure where ComputerWorld came up with the 2,000,000 number. I could only find references to the number 47,000. I went with the 2,000,000 in this report because 47,000 doesn't seem large enough for "Anyone who has been a patient of a University of Miami physician or visited a UM facility at any time since January 1, 1999"
Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17.
Thieves removed a transport case carrying the school's computer backup tapes
Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft.
The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen.
In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
[Evan] Absolutely a good decision! More organizations should be more transparent in their responses to incidents involving personal information. After all, personal information belongs to the person, not the organization.
Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site
"At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better,"
[Evan] I like this response.
Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft,"
Law enforcement is investigating the incident as one of a series of petty thefts in the area.
[Evan] Interesting that they chose the word "petty".
The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999.
Financial data from approximately 47,000 people may be on the missing tapes
UM says it will notify 47,000 patients by mail whose records may have included credit card or other financial information
After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed.
security experts at Terremark Worldwide Inc. "tried for days" to decode the data but could not because of proprietary compression and encoding tools used to write data to the storage tapes.
“For more than a week my team devised a number of methods to extract readable data from the tapes,’’ said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.’’
Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.’’ Based on this information, the University believes misuse of the information on the tapes is unlikely.
[Evan] I very much respect Ontrack's views on data recovery. These guys are the experts in data recovery.
"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information,"
The school regularly sends its data off-site as a precaution against hurricanes and other natural disasters.
the University has also established a call center at 1-
Commentary:
Minus the amount of time it took for the school to get the word out (for which there might be good reason), I am impressed with the school's response to this incident. The fact that they chose to consult with two independent "experts" about the risk of disclosure and convincing them to comment publicly was an excellent move. The school's transparency about this incident instills a sense of trust and honesty that could have easily turned the other way. Other organizations could stand to learn a thing or two here. Kudos to the school's management team.
Past Breaches:
Unknown
Date Reported:4/17/08
Organization:
University of Miami
Contractor/Consultant/Branch:
Archive America Ltd.
Victims:
Medical patients that visited university medical facilities since January 1st, 1999.
Number Affected:
"more than 2 million" (2,000,000+)*
*According to the ComputerWorld report. The University of Miami will be notifying 47,000 people whose data may have included credit card or other financial information regarding bill payment
Types of Data:
Names, addresses, Social Security numbers, health information, and credit card or other financial information
Breach Description:
"A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported."
Reference URL:
University of Miami announcement
The Associated Press via The Florida Times-Union
ComputerWorld
Report Credit:
The University of Miami
Response:
From the online sources cited above:
University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
[Evan] I'm not sure where ComputerWorld came up with the 2,000,000 number. I could only find references to the number 47,000. I went with the 2,000,000 in this report because 47,000 doesn't seem large enough for "Anyone who has been a patient of a University of Miami physician or visited a UM facility at any time since January 1, 1999"
Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17.
Thieves removed a transport case carrying the school's computer backup tapes
Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft.
The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen.
In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
[Evan] Absolutely a good decision! More organizations should be more transparent in their responses to incidents involving personal information. After all, personal information belongs to the person, not the organization.
Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site
"At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better,"
[Evan] I like this response.
Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft,"
Law enforcement is investigating the incident as one of a series of petty thefts in the area.
[Evan] Interesting that they chose the word "petty".
The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999.
Financial data from approximately 47,000 people may be on the missing tapes
UM says it will notify 47,000 patients by mail whose records may have included credit card or other financial information
After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed.
security experts at Terremark Worldwide Inc. "tried for days" to decode the data but could not because of proprietary compression and encoding tools used to write data to the storage tapes.
“For more than a week my team devised a number of methods to extract readable data from the tapes,’’ said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.’’
Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.’’ Based on this information, the University believes misuse of the information on the tapes is unlikely.
[Evan] I very much respect Ontrack's views on data recovery. These guys are the experts in data recovery.
"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information,"
The school regularly sends its data off-site as a precaution against hurricanes and other natural disasters.
the University has also established a call center at 1-
Commentary:
Minus the amount of time it took for the school to get the word out (for which there might be good reason), I am impressed with the school's response to this incident. The fact that they chose to consult with two independent "experts" about the risk of disclosure and convincing them to comment publicly was an excellent move. The school's transparency about this incident instills a sense of trust and honesty that could have easily turned the other way. Other organizations could stand to learn a thing or two here. Kudos to the school's management team.
Past Breaches:
Unknown
Posted by Evan Francen at 4/25/2008 3:30 PM 
Categories: Stolen Tape, University of Miami, Archive America
Categories: Stolen Tape, University of Miami, Archive America
Posts Atom 1.0
I'm impressed too, but negatively.
The University notified 47K people whose *financial* info was exposed. However, these were *medical* records which were stolen. Unless all medical records are financial records, some (and as you say, perhaps the vast majority) of those whose personal health information was exposed were deliberately not notified.
Is that the example we want others to follow? If so, here's what every medical center should do:
Keep all medical information on a patient in one set of files, but do NOT store any payment information there, or store the patient's SSN there. Instead, store a unique key. Store all the financial info and SSN for a patient in a separate set of files, linked by the unique key.
If the second set of files is exposed, you have to do some work. If the former is exposed, you have to do absolutely nothing.
By the way, it may be news to Miami, but some states require notification when PHI is released, not just an SSN or financial info. Before settling on tha 47K, I'd have Legal do some reading.
Reply to this
These are very good points. Excellent perspective.
Thanks Chris!
Reply to this
It was 2.1 million medical records, 47,000 of which had financial or credit card information. See: http://www.miamiherald.com/news/breaking_dade/story/499492.html as your reference for that.
Reply to this
in light of this article, I did some investigation. It appears that this compression complexity is simply Tivoli which is disclosed on google. There is no mention of encryption and there is no reference to using encryption in their public IT policies or procedures. In fact, their publically available records in change control do not mention enabling encryption and only the most recent meeting mentions data security changes...of course being in direct response to the breach.
Reply to this