Tapes Stolen by University of Miami With 47,000 Patient Information

This is an announcement from the University of Miami.

A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported. Law enforcement is investigating the incident as one of a series of petty thefts in the area.

Shortly after learning of the incident, the University determined it would be unlikely that a thief would be able to access the backup tapes because of the complex and proprietary format in which they were written. Even so, the University engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of backup tapes.

"For more than a week my team devised a number of methods to extract readable data from the tapes," said Christopher Day, senior vice president of the Secure Information Services group at Terremark. "Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data."

Day said that his team also determined that even in the unlikely event that a thief had a copy of the same software used to write the tapes, "It would require certain key data which is not stored on the tapes before the software would make the data readable."

Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: "While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data."

Based on this information, the University believes misuse of the information on the tapes is unlikely.

"Even though I am confident that our patients’ data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter," said Pascal J. Goldschmidt, M.D., senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine.

Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.

The University’s permanent records are not affected; all patient information remains current, protected, and appropriately available on UM computer systems.

Back-up tapes are stored off-site to facilitate the recovery of the University’s computer systems in the event of a disaster, such as a hurricane or fire. This is standard practice for many organizations.

FAQs on the subject published by the University of Miami:

Q: What happened?
A:  A case
that contained computer back-up tapes of the University of Miami was
stolen from a vehicle belonging to a private off-site storage company
used by the University. An ongoing investigation by law enforcement has
not yet recovered the tapes.

Q: What information was on the tapes?
A: The tapes contained back-up patient information from the medical
school. Anyone who has been a patient of a University of Miami
physician or visited a UM facility at any time since January 1, 1999,
is likely included on the tapes. For a high percentage of these
patients, the data on the tapes included names, addresses, Social
Security numbers, or health information. The University will be
notifying by mail the approximately 47,000 patients whose data included
credit card or other financial information regarding bill payment.

Q: Are our computer systems affected by this loss?
A:  No, since the event took place outside of University premises, our
active systems are not affected by this incident. Your data remains
current, available, protected, and unaffected on our systems. Only
back-up tapes of the data were affected.

Q: Why are back-up tapes sent off-site for storage and what are they used for?
A: Back-up tapes are used to facilitate data recovery of our computer
systems in the event of a disaster, such as a hurricane or fire. This
is standard practice of many organizations. Tapes are often stored at
an alternate site so that should a disaster occur at the place of
business, the back-up tapes may be retrieved to restore the systems.

Q: Is my personal information at risk?
A:
After consulting with computer security professionals, the University
has determined that it is unlikely that the data on the tapes could be
accessed by an unauthorized user. Attempts by a leading Miami-based
computer security firm to access the information on identical tapes
were unsuccessful. Therefore, we believe misuse of the information on
these tapes is unlikely.

Q: How do I know whether my records were affected?
A: If you have been a patient of a University of Miami physician or
visited a UM facility at any time since January 1, 1999, your
information is likely included on the tapes.

Q: Was information from UM employees included on the stolen tapes?
A: Yes.
Many patients whose data was stolen were UM employees. The tapes also
included some employee health benefit information.  

Q: What was the sequence of events?
A:
Back-up tapes were picked up by the private off-site storage company
from the University of Miami on Monday, March 17. The University was
notified on March 19 that a container carrying computer back-up tapes
of patient information was stolen from the truck while it was parked in
downtown Coral Gables. City officials tell us that several vehicles
have been broken into in this area, including another commercial
vehicle at the same address. Law enforcement authorities have been
investigating and the University launched an internal investigation.
The authorities will continue to investigate.

Q: If I have additional questions regarding this issue, what should I do?
A:  Please visit www.dataincident.miami.edu,
which is the principal source for information about the incident. As a
back-up for this Web site, the University has also established a call
center at 1-866-628-4492.

Q: If my name is included on the tapes, does this mean I am the victim of identity theft?
A:
No. It is unlikely that someone has accessed your information, so it
does not mean that you are a victim of identity theft or that the
information may be used to commit fraud. The University of Miami wanted
to let you know about the incident so you are aware and may take steps
as you see fit.

Q: What protective steps may I take?
A:
Again, it is important to note that we have no evidence that the
information on the tapes has been accessed or misused in any manner.
You may wish to obtain a free copy of your credit report to make
certain that no unusual activity is noted.

Q: How do I obtain a copy of my credit report?
A: According to the Federal Trade Commission, the three nationwide
consumer reporting companies have set up a central Web site, a
toll-free telephone number, and a mailing address through which you can
order your free annual report.

To order, visit annualcreditreport.com,
call 1-877-322-8228, or complete the Annual Credit Report Request Form
and mail it to: Annual Credit Report Request Service, P.O. Box 105281,
Atlanta, GA 30348-5281. You may print a request form from ftc.gov/credit. Do not contact the three nationwide consumer reporting companies individually.

You
may order your reports from all three nationwide consumer reporting
companies at the same time, or you can order your report from each of
the companies one at a time. The law allows you to order one free copy
of your report from each of the nationwide consumer reporting companies
every 12 months. However, the recommended approach is to order one copy
every four months from a different reporting company. This will allow
you to view this information free of charge once every four months. For
additional information, go to the Federal Trade Commission website: www.ftc.gov/bcp/edu/pubs/consumer/credit/cre34.shtm.

Q: What other steps may I take?
A: You may place a fraud alert on the credit report maintained by each of the nationwide credit bureaus.

Q: What is a fraud alert?
A: A fraud alert is a special message placed for free on your credit
report that tells a credit issuer when inquiring about a consumer’s
credit that there may be fraud on the account. Before extending new
credit, the creditor will call you to confirm that you have applied for
such credit. A fraud alert is generally placed on your account for a
90-day period. You can ask that it be reinstated once 90 days have
passed, but it is your responsibility to do so.

Q: How do I place a fraud alert on my file?
A: To place a fraud alert on your file, you may call one of the three
credit bureaus and make the request. The bureau you call will
automatically forward the fraud alert to the other two. Once the fraud
alert is placed on your file, you should receive a confirmation letter
from all three credit bureaus. This letter will also contain
instructions on how to order a free credit report. Once you receive
your report, if you feel something is incorrect or suspicious, call the
bureau at the phone number provided on the report.

Here is the contact information for the agencies:

Equifax:         1-800-525-6285; www.equifax.com
Experian:       1-888-397-3742; www.experian.com
TransUnion:  1-800-680-7289; www.transunion.com

Q: Will a fraud alert stop me from using my credit cards or obtaining new credit?
A: No, it will not stop you from using your credit cards. However, it
may slow the process of obtaining new credit. Since the purpose of the
fraud alert is to protect you from allowing someone else to open credit
in your name, creditors will need to reverify the identity of the
person applying for credit.