2.2 million billing records missing on stolen backup tape
Technorati Tag: Security Breach
Date Reported:
6/10/08
Organization:
University of Utah
Contractor/Consultant/Branch:
University of Utah Hospitals & Clinics
Perpetual Storage, Inc.
Victims:
Patients
Number Affected:
"approximately 2.2 million"
Types of Data:
"names, related demographic information and diagnostic codes" additionally, "Records for a subset of 1.3 million patients also contained Social Security numbers"
Breach Description:
"SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center"
Reference URL:
University of Utah Hospitals & Clinics
The Salt Lake Tribune
Associated Press via KUTV Channel 2 News
Report Credit:
University of Utah Hospitals & Clinics
Response:
From the online sources cited above:
SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center
[Evan] There is no mention of encryption in any of the news reports I have read regarding this breach, so I am going to go ahead and assume that it was not used. As you read through the publicly available details of this breach below, you will probably agree that the courier driver made an idiotic mistake that he almost certainly regrets, but the University of Utah Hospitals & Clinics is the custodian of this information that should have identified the risks involved with transporting confidential patient records off-site. One of those risks is the possibility that a backup tape may become lost of stolen, which is obviously the case in this breach. Where were preventative controls to account for this unacceptable (in most cases) risk, like encryption?
The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years
people would be notified by a letter at a cost of $500,000 just for stamps and envelopes
[Evan] How much would it have cost to encrypt the information on the tapes? The State of Utah has an exemption in their breach notification law for encrypted information.
The hospital also pledged free credit monitoring
The records were in a gray metal box
The courier, whose name was not released, picked them up in his Ford Explorer on June 1
instead of driving directly to a storage center, he worked a second job and then went home
[Evan] This is the idiotic mistake I was writing about earlier.
The next day, he discovered that someone had broken into his Ford Explorer outside his Kearns home and taken the box
The driver worked for Perpetual Storage Inc. for 18 years and was fired.
Authorities declined to say how easy or difficult it would be to read the records.
The sheriff believes the thief probably thought the box contained money.
[Evan] What it contains could probably be turned into a helluva lot of money!
"The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft," said Salt Lake County Sheriff Jim Winder.
[Evan] Eight days (June 2nd - June 10th) is probably a little too soon for evidence to appear of identity theft.
There's no evidence any of the information on the tapes has been accessed; besides, anyone trying to use the tapes would need specialized equipment to view the contents, Winder said.
[Evan] Specialized equipment like a tape drive?
Eighty percent of the 2.2 million people live in Utah or Idaho, Betz said. The hospital is offering a $1,000 reward for the records. (Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences)
The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked. Those wishing to claim the reward may call the Sheriff’s Department at .
[Evan] To think of this in pure financial terms. A person could return the tape for $1,000 or could access the tape, sell the information and make maybe $5,000.000+. Maybe a good preventative control for organizations is to assume that criminals are stupid as part of your risk management program (seriously though, it's not).
"We understand this is unwelcome news to our patients," said Betz.
The university had worked with Perpetual Storage for 12 years before the theft
The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.
Additionally, the health-care system is taking the following steps on behalf of its 2.2 million patients.
Victim Reaction:
Tuesday's news was especially unsettling for people like Will Taylor, of West Valley City, whose premature daughter is a patient at University Hospital. Taylor has already been the victim of identity theft once, when thieves racked up credit card charges in his name.
"I will ask [the hospital] what precautions I can take and what they are doing about it," he said.
"If our information isn't safe, then what is?" patient Dan Christenson, of Salt Lake City, said Tuesday after learning of the theft.
Commentary:
I would be more understanding if this were the first breach ever reported where a backup was stolen that contained personal information, but it's not. Employing backup tapes without encryption is a very well documented risk, so why do large organizations still accept it?
Past Breaches:
March, 2008 - Stolen University Health Care laptop requires notification of 4800
Date Reported:6/10/08
Organization:
University of Utah
Contractor/Consultant/Branch:
University of Utah Hospitals & Clinics
Perpetual Storage, Inc.
Victims:
Patients
Number Affected:
"approximately 2.2 million"
Types of Data:
"names, related demographic information and diagnostic codes" additionally, "Records for a subset of 1.3 million patients also contained Social Security numbers"
Breach Description:
"SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center"
Reference URL:
University of Utah Hospitals & Clinics
The Salt Lake Tribune
Associated Press via KUTV Channel 2 News
Report Credit:
University of Utah Hospitals & Clinics
Response:
From the online sources cited above:
SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center
[Evan] There is no mention of encryption in any of the news reports I have read regarding this breach, so I am going to go ahead and assume that it was not used. As you read through the publicly available details of this breach below, you will probably agree that the courier driver made an idiotic mistake that he almost certainly regrets, but the University of Utah Hospitals & Clinics is the custodian of this information that should have identified the risks involved with transporting confidential patient records off-site. One of those risks is the possibility that a backup tape may become lost of stolen, which is obviously the case in this breach. Where were preventative controls to account for this unacceptable (in most cases) risk, like encryption?
The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years
people would be notified by a letter at a cost of $500,000 just for stamps and envelopes
[Evan] How much would it have cost to encrypt the information on the tapes? The State of Utah has an exemption in their breach notification law for encrypted information.
The hospital also pledged free credit monitoring
The records were in a gray metal box
The courier, whose name was not released, picked them up in his Ford Explorer on June 1
instead of driving directly to a storage center, he worked a second job and then went home
[Evan] This is the idiotic mistake I was writing about earlier.
The next day, he discovered that someone had broken into his Ford Explorer outside his Kearns home and taken the box
The driver worked for Perpetual Storage Inc. for 18 years and was fired.
Authorities declined to say how easy or difficult it would be to read the records.
The sheriff believes the thief probably thought the box contained money.
[Evan] What it contains could probably be turned into a helluva lot of money!
"The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft," said Salt Lake County Sheriff Jim Winder.
[Evan] Eight days (June 2nd - June 10th) is probably a little too soon for evidence to appear of identity theft.
There's no evidence any of the information on the tapes has been accessed; besides, anyone trying to use the tapes would need specialized equipment to view the contents, Winder said.
[Evan] Specialized equipment like a tape drive?
Eighty percent of the 2.2 million people live in Utah or Idaho, Betz said. The hospital is offering a $1,000 reward for the records. (Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences)
The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked. Those wishing to claim the reward may call the Sheriff’s Department at .
[Evan] To think of this in pure financial terms. A person could return the tape for $1,000 or could access the tape, sell the information and make maybe $5,000.000+. Maybe a good preventative control for organizations is to assume that criminals are stupid as part of your risk management program (seriously though, it's not).
"We understand this is unwelcome news to our patients," said Betz.
The university had worked with Perpetual Storage for 12 years before the theft
The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.
Additionally, the health-care system is taking the following steps on behalf of its 2.2 million patients.
- Mailing notification letters to all 2.2 million patients and guarantors;
- Providing free credit monitoring and restoration service to patients whose records included Social Security numbers;
- Providing a toll-free information line at 1- to respond to questions; and
- Establishing a website at healthcare.utah.edu/billingrecordstheft that provides information and resources.
Victim Reaction:
Tuesday's news was especially unsettling for people like Will Taylor, of West Valley City, whose premature daughter is a patient at University Hospital. Taylor has already been the victim of identity theft once, when thieves racked up credit card charges in his name.
"I will ask [the hospital] what precautions I can take and what they are doing about it," he said.
"If our information isn't safe, then what is?" patient Dan Christenson, of Salt Lake City, said Tuesday after learning of the theft.
Commentary:
I would be more understanding if this were the first breach ever reported where a backup was stolen that contained personal information, but it's not. Employing backup tapes without encryption is a very well documented risk, so why do large organizations still accept it?
Past Breaches:
March, 2008 - Stolen University Health Care laptop requires notification of 4800
Posted by Evan Francen at 6/11/2008 12:23 PM 
Categories: University Health Care, Stolen Tape, University of Utah
Categories: University Health Care, Stolen Tape, University of Utah
Posts Atom 1.0
On the subject of file backup, sharing and storage ...
Online backup is becoming common these days. It is estimated that 70-75% of all PC's will be connected to online backup services with in the next decade.
Thousands of online backup companies exist, from one guy operating in his apartment to fortune 500 companies.
Choosing the best online backup company will be very confusing and difficult. One website I find very helpful in making a decision to pick an online backup company is:
http://www.BackupReview.info
This site lists more than 400 online backup companies in its directory and ranks the top 25 on a monthly basis.
Reply to this