Privacy Breach: Johns Hopkins University Lost Personal Information on 135,000 Individuals

There now seem to be so many privacy breaches that it is hard to choose which one to discuss…
Last Wednesday, 2/7, Johns Hopkins University reported personal information on 135,000 employees and patients on nine backup tapes were missing that had been given to a contractor, Anacomp Co. Inc., to make microfiche backups.

Eight of the tapes went missing on January 18, and the ninth on January 26.

“After an the investigation by both the contractor, Anacomp Co. Inc., headquartered in San Diego, and Hopkins, it was determined that the tapes never reached the facility and concluded that the tapes likely had been mistakenly left at another stop by a courier. The best guess is that the boxes were collected as trash and later incinerated, Hopkins said.”

Another breach that occurred through an outsourced vendor. This points out the importance of performing due diligence to ensure outsourced vendors have good information security programs, policies and practices, security training for their personnel, and contractual security requirements.
Of course, even with the best security, mistakes will, and often do, happen. This makes it even more important to encrypt personally identifiable information (PII) whenever it is mobile…including on backup tapes, mobile computers, and other mobile storage devices.

“The information on the university payroll tapes included Social Security numbers and, in some cases, bank account information for present and former employees, including retirees and students who have held campus jobs. Employees whose information is on the tapes come from all university units except the Applied Physics Laboratory.”

“The hospital tape included personal information on all patients first seen last year between July 4 and Dec. 18, or who had changes in their demographic information in that time. The patient information included such data as names and dates of birth. It did not include addresses, Social Security numbers, financial information of any kind, or any medical information.
Letters are being sent to all affected, current and former, Johns Hopkins University employees and patients.”

The information lost is covered under several laws, a few of which include HIPAA, FERPA, the FTC Act, FACTA and probably the FCRA.
Considering their track record, it is doubtful the HHS will do anything about HIPAA, but actions from the FTC for the others is a possibility.

Tags: , , , , , , , , , , , ,

Leave a Reply