Privacy Breach: Johns Hopkins University Lost Personal Information on 135,000 Individuals
There now seem to be so many privacy breaches that it is hard to choose which one to discuss...
Last Wednesday, 2/7, Johns Hopkins University reported personal information on 135,000 employees and patients on nine backup tapes were missing that had been given to a contractor, Anacomp Co. Inc., to make microfiche backups.
Eight of the tapes went missing on January 18, and the ninth on January 26.
"After an the investigation by both the contractor, Anacomp Co. Inc., headquartered in San Diego, and Hopkins, it was determined that the tapes never reached the facility and concluded that the tapes likely had been mistakenly left at another stop by a courier. The best guess is that the boxes were collected as trash and later incinerated, Hopkins said."
Another breach that occurred through an outsourced vendor. This points out the importance of performing due diligence to ensure outsourced vendors have good information security programs, policies and practices, security training for their personnel, and contractual security requirements.
Of course, even with the best security, mistakes will, and often do, happen. This makes it even more important to encrypt personally identifiable information (PII) whenever it is mobile...including on backup tapes, mobile computers, and other mobile storage devices.
"The information on the university payroll tapes included Social Security numbers and, in some cases, bank account information for present and former employees, including retirees and students who have held campus jobs. Employees whose information is on the tapes come from all university units except the Applied Physics Laboratory."
"The hospital tape included personal information on all patients first seen last year between July 4 and Dec. 18, or who had changes in their demographic information in that time. The patient information included such data as names and dates of birth. It did not include addresses, Social Security numbers, financial information of any kind, or any medical information.Letters are being sent to all affected, current and former, Johns Hopkins University employees and patients."
The information lost is covered under several laws, a few of which include HIPAA, FERPA, the FTC Act, FACTA and probably the FCRA.
Considering their track record, it is doubtful the HHS will do anything about HIPAA, but actions from the FTC for the others is a possibility.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Encryption is such a basic security measure, I don't know why so many organizations are still not implementing this technology.
On another note, I'm shocked that John Hopkins University was affected by a security breach. You'd think that such a promiment university would have top-notch security for their information.
Posted by: Mila | February 12, 2007 1:56 PM
I agree, Mila. Encryption is such a good security and privacy tool, but it is still underutilized. So many incidents would have been non-incidents if only the data had been encrypted.
Regarding universities, a large percentage of incidents occur on their systems. Their networks are typically configured to be very open because of the promoted free exchange and access to information in the education environment. They also have a very hard time getting sufficient budgets. That does not excuse them from their responsibilities, but those are the issues the CISOs within universities face.
Posted by: Rebecca | February 14, 2007 12:21 PM
You bring up an excellent point about universities and having a "free exchange and access to information"... I'm sure that's very important to the educational model.
But considering the kind of "top secret" research some leading institutions are conducting, they could really use such measures as encryption and anti-theft.
Right now there is much focus on providing security measures for commercial businesses and government organizations... but I think in the future this will shift to include security solutions that cater particularly to education, as well.
Posted by: Mila | February 16, 2007 2:37 PM
Indeed, it would be GREAT if vendors recognized educational settings as having some of the most challenging security issues and work on solutions to address them.
Solutions vendors need to recognize educational institutes typically do not have enough funds to adequately pay their teachers, let alone pay for adequate security. Do any of the vendors out there have any such philanthopic programs or educational discounts? If any of you do, let us know!
Of course the educational institutes must also have strong and comprehensive information security programs that address their unique vulnerabilities and threats. Those responsible for managing the information securitiy program often don't have the necessary resources, and they typically don't have the opportunity or funds to get the training that could help them with their efforts and initiatives.
Posted by: Rebecca | February 22, 2007 9:37 AM