What has happened?
Eight backup computer tapes sent by The Johns Hopkins University and one data tape sent by The Johns Hopkins Hospital to a contractor for conversion to microfiche were never returned.
What was on the tapes?
Eight of the tapes contained Johns Hopkins University payroll files with sensitive personal information on a total of 52,567 present and former university employees, from all divisions except the Applied Physics Laboratory. The information included names, addresses, Social Security numbers and, for employees with direct deposit, bank account information. There was also information on birth dates, salary, deductions and retirement plan contributions.
The ninth tape included personal information on more than 83,000 patients of The Johns Hopkins Hospital, all of whom were either new patients first seen between July 4 and Dec. 18, 2006, or who had changes in their demographic information in that time. The hospital tape included names and limited other personal information: date of birth, sex, race, mother's maiden name, father's name and medical record number. The patient tape had no medical information, Social Security numbers, addresses or financial information of any kind.
Which university employees' information was on the eight payroll tapes?
The employees involved are faculty, staff, retirees, former employees and students of the university. They hold or held regular or student jobs in any division or unit of the university except the Applied Physics Laboratory, which has a payroll system separate from the rest of the university's. Included are employees in the Baltimore-Washington area, elsewhere in Maryland, elsewhere in the United States and in other countries. Specifically, these are 32,091 employees who were paid anytime in 2006 as well as 20,476 people who were maintained in a master file but who were not paid in 2006.
Are any Johns Hopkins Health System employees affected?
The university's payroll tapes contained only information related to its own employees. The hospital tape had only information related to Johns Hopkins Hospital patients. But some university, hospital or health system employees have been Johns Hopkins Hospital patients and, therefore, might have been listed on the hospital tape.
How will I know if my person information was on any of the tapes?
Letters are being sent to all affected Johns Hopkins University employees, current and former, and to all affected Johns Hopkins Hospital patients, except for those relatively few for whom addresses are unavailable.
Why were the tapes being sent to the contractor?
The information on the backup tapes was to be transferred to microfiche for archiving. This was a regular monthly practice for the university payroll information and a weekly practice for The Johns Hopkins Hospital patient demographics information.
Was the information on the tapes protected?
First, the tapes were not compatible with typical personal computers. In order to access the data, an unauthorized person would have needed specialized equipment that most computer users do not have. The information was not encrypted, however, and was in a format that could have been read by a user who had the proper equipment.
Why wasn't the information encrypted?
It has not in the past been the industry standard to transport information in an encrypted form, in part because of the incompatibility of formats and equipment between vendors and customers. Johns Hopkins is changing its processes to ensure that data sent to third parties is encrypted, but that process is not yet universal.
What was the timetable of events?
The tapes were picked up from Johns Hopkins by a courier hired by the contractor on the afternoon of Dec. 21. The university and hospital tapes were in the same shipment. Normally, they would have been returned to Johns Hopkins within about two weeks. The university became aware on Jan. 18 that its tapes had not been returned, prompting the start of an investigation. On Jan. 26, during the course of the university's investigation, the hospital became aware that its tape was missing.
The investigation concluded that the tapes never reached the contractor's Baltimore-area facility. Johns Hopkins believes that the courier mistakenly left the box containing the tapes at another stop. The shipping area at that other stop is generally full of boxes which are placed in a dumpster. Johns Hopkins believes it is highly likely that the tapes were thought to be trash, collected and incinerated.
Is it absolutely certain that the tapes were not stolen?
The very best evidence we have indicates that they were not.
What is that "very best evidence?"
Our conclusion is based on the findings of the experienced investigators who worked this for both the Homewood and East Baltimore security departments. This included interviews with the relevant people at the contractor and the courier service, including the courier himself; a review of the security tapes at the contractor (which confirm that the tapes never arrived there); corroborating interviews from people at the only other stop along the courier's route; a background check on the courier; and the courier's volunteering to take and then passing a polygraph examination. In short, the investigators believe the courier's recollection that he put the box of tapes on the floor at his other stop and his conclusion that he must have mistakenly left them there. That leaves, in their minds, only the question of whether the box was tossed into the Dumpster with the load that was later incinerated. Though they believe that is highly likely, it cannot be proven. That's why Johns Hopkins concluded that, even though it believes the tapes most likely no longer exist, it should notify affected employees and patients.
Why didn't you report the loss of the tapes sooner?
Johns Hopkins began an aggressive investigation upon learning that some tapes were not returned. It has taken time for all the facts to become clear. The fact, which surfaced only on Jan. 26, that both university and hospital data were involved added to the complexity of the investigation. It has taken some time for us to determine which employees (including former employees) and patients might be affected and to prepare to contact and inform them through a variety of means.
What does Johns Hopkins have to say to its employees and patients?
First, Johns Hopkins apologizes to all affected employees and patients. This clearly should not have happened. Second, Johns Hopkins will provide any additional important information that comes to light and make any necessary changes to processes and procedures.
Will Johns Hopkins pay for credit protection services for affected people?
People who, despite the very low risk, remain concerned about protecting themselves would be well-advised to take advantage of their legal right to a free annual credit report. They may also consider the fraud alert service offered by the major credit bureaus and outlined in the document "What should affected employees and patients do?" There is no charge for this service.
Will Johns Hopkins continue to do business with the contractor that was to transfer the tapes to microfiche?
That relationship is under review. No determination has been made. In the meantime, we have suspended shipments of data to the contractor.
What is Johns Hopkins doing to prevent this kind of loss from happening again?
We are evaluating our processes and procedures for the handling of data of this nature and will make whatever changes are appropriate.
I've gotten a phone call about this incident, but I'm suspicious. What should I do?
Sometimes criminals will attempt to prey on individuals who have been informed of a situation such as this. It is possible, for instance, that a criminal will call or e-mail you, claiming to be from Johns Hopkins, and ask you to "confirm" certain information. What the criminal would really be doing is trying to trick you into providing information that he or she does not already have and that could be used for identity theft. DO NOT RESPOND TO ANY UNSOLICITED TELEPHONE OR E-MAIL COMMUNICATION PURPORTEDLY FROM JOHNS HOPKINS ASKING YOU TO PROVIDE PERSONAL IDENTIFYING INFORMATION. Johns Hopkins will not ask you to provide confidential information when contacting you in relation to this incident. If, however, YOU call the toll-free number set up for Johns Hopkins patients and employees, you may be asked for a limited amount of identifying information (such as name and address) so that the call center operators can be sure to provide you with correct information.
Were these tapes in any way connected with the HopkinsOne project?
No. In fact, the opposite is true. The university's creation of monthly tapes for the purpose of making a microfiche backup of payroll data was standard operating procedure before HopkinsOne's Jan. 1 "go-live." Payroll then was handled by what are referred to as the university's "legacy" systems. The eight university payroll tapes in question were to be the last of their kind. Such tapes are not being created now that payroll is being processed under the HopkinsOne system.
In the future, under HopkinsOne, how will Johns Hopkins maintain this kind of information for archiving?
Those determinations are still being made.
What can I do if I remain concerned, despite the low risk that my personal information will be misused?
Under federal law, you are entitled every 12 months to one free copy of your credit report from each of the three major credit reporting companies. To obtain a free annual credit report, go to www.annualcreditreport.com or call 877-322-8228. You may wish to stagger your requests so that you receive a free report by one of the three credit bureaus every four months.
A fraud alert tells creditors to contact you before they open any new accounts. To place a fraud alert on an account, call any one of these three major credit bureaus or visit the Experian Web site:
EquifaxAs soon as one of the three bureaus confirms your fraud alert, the others are notified to place alerts on their records as well. You will then be able to order all three credit reports, free of charge, for your review. Placing fraud alerts does not affect your credit score.
Placing a fraud alert can protect you but may also delay you when you seek to obtain credit. There is more information here on the complications that placing a fraud alert could cause for you.
I already have fraud alerts on my records. Can I place them again?
Fraud alerts last 90 days, and the system will let you know that alerts are already in place if you try to place them again before they expire. You will not be notified when fraud alerts expire, so note the date when you place them. You can place them every 90 days for as long as you wish.
The university employee tapes included bank account information for employees with direct deposit. What has Johns Hopkins done to protect our bank accounts?
In response to employee suggestions, the university has notified the banks that handle the majority of our direct deposit transactions. The university also has notified the check/fraud units of the Baltimore City and Baltimore County police departments and the Maryland Association for Bank Security.
The Bank of America offers this advice to detect and respond to fraud involving a bank account:
Customers concerned about their bank accounts can go to a branch and request that "remarks" be placed on their accounts indicating potential fraudulent activity. But before you decide to do so, be sure to ask about what will happen as a result and how your access to your account may change.
For more information please see:
Go to Headlines@HopkinsHome Page