washingtonpost.com
NEWS | LOCAL | POLITICS | SPORTS | OPINIONS | BUSINESS | ARTS & LIVING | GOING OUT GUIDE | JOBS | CARS | REAL ESTATE |SHOPPING
'); } //-->
Lost Computer Tapes Had Details on 135,000 Workers, Patients

By Susan Kinzie
Washington Post Staff Writer
Thursday, February 8, 2007; B05

Personal data on about 135,000 Johns Hopkins employees and patients were lost last month, the university announced yesterday, when a contractor did not return backup computer tapes from the hospital and the university payroll.

After an investigation, school officials concluded that the tapes were most likely discarded and destroyed, but because they couldn't be certain, letters and e-mails were sent yesterday to alert people who might have been affected.

Hopkins has had security breaches, said university spokesman Dennis O'Shea, but never on this scale.

Just about every week, some data are lost at a university, said Rodney J. Petersen, security task force coordinator for Educause, which works on information technology issues for colleges and universities. One of the primary worries is that the data could be used to tap into people's bank accounts and credit cards. Despite the increasing frequency of the breaches, he said, "I am not aware of a single case where a person's identity has been assumed because of the compromise."

On Jan. 18, Hopkins realized that eight computer tapes with information on 52,000 employees -- almost all current staff and some retirees -- had not been returned from a contractor making microfiche backups. That included data such as Social Security numbers and bank account information.

During the investigation, officials discovered that a ninth tape, with less sensitive information about new patients at the hospital, was missing. That did not include Social Security numbers or financial information and was limited to patients who first went to Hopkins between July 4 and Dec. 18 last year and those who updated personal information during that period.

The tapes work with special equipment and can't be used on a typical personal computer, but they were not encrypted.

Hopkins has been moving toward encryption but has not finished the process.

O'Shea said the university can't prove that the tapes were destroyed, but the evidence suggests that they were put in a trash bin and incinerated.

In December, hackers got into a database at the University of California at Los Angeles. It had information on 800,000 people, including staff members, students and applicants.

Two years ago, George Mason University warned students, faculty and staff members that confidential personal information could have been compromised after hackers penetrated the school's computer system.

Educause has recommendations to help protect private information, Petersen said, "but there's no one single magic bullet that will prevent exposure of confidential data."

Post a Comment

Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.

© 2007 The Washington Post Company