Gazette
masthead
   About The Gazette Search Back Issues Contact Us    
The newspaper of The Johns Hopkins University February 12, 2007 | Vol. 36 No. 21
 
Missing Data Tapes Reported

No evidence that the tapes were stolen or that the data was misused

In a joint statement released last week, The Johns Hopkins University and The Johns Hopkins Hospital announced that they had become aware on Jan. 18 that eight backup computer tapes containing sensitive personal information on about 52,000 university employees had not been returned as expected by a contractor that routinely makes microfiche backups of such data. On Jan. 26, as an intensive investigation was under way, it was learned that a ninth tape, containing less sensitive personal information on approximately 83,000 patients at the hospital, had also not been returned as expected from the contractor.

All nine tapes had been sent to the contractor's Baltimore-area facility on Dec. 21. The investigation by both the contractor and Johns Hopkins has determined that the tapes never reached the facility. It also concluded that it is highly likely that the tapes were mistakenly left at another stop by a courier company hired by the contractor. They were thought to be trash, collected and later incinerated.

There is no evidence, officials said, to indicate that the tapes were stolen or that the data on them has been misused.

Johns Hopkins knows of no evidence of identity theft arising from this incident and believes that the risk of any such problems is very, very low.

"Our best information is that the tapes have been destroyed," said university President William R. Brody. "Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorized hands. On behalf of Johns Hopkins, I apologize to all affected employees and patients. We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again."

Johns Hopkins' conclusion is based on the findings of the experienced investigators who worked on this for both the Homewood and East Baltimore security departments. The investigation included interviews with the relevant people at the contractor and the courier service, including the courier himself; a review of the security tapes at the contractor (which confirm that the tapes never arrived there); corroborating interviews from people at the only other stop along the courier's route; a background check on the courier; and the courier's volunteering to take and then passing a polygraph examination.

In short, officials said, the investigators believe the courier's recollection that he put the box of tapes on the floor at his other stop and his conclusion that he must have mistakenly left them there. That leaves, in their minds, only the question of whether the box was tossed into the Dumpster with the load that was later incinerated. Though they believe that is highly likely, it cannot be proven. That is why Johns Hopkins concluded that, even though it believes the tapes most likely no longer exist, it should notify affected employees and patients.

Eight of the tapes contained university payroll files with sensitive personal information on a total of 52,567 present and former employees from all divisions except the Applied Physics Laboratory, which has a payroll system separate from the rest of the university's. Included are employees, retirees and students who have held campus jobs in the Baltimore-Washington area, elsewhere in Maryland, elsewhere in the United States and in other countries. Specifically, these are 32,091 employees who were paid anytime in 2006 as well as 20,476 people who were maintained in a master file but who were not paid in 2006.

The information included names, addresses, Social Security numbers and, for employees with direct deposit, bank account information. There was also information on birth dates, salary, deductions and retirement plan contributions.

The ninth tape held personal information on more than 83,000 patients of the hospital, all of whom either were new patients first seen between July 4, 2006, and Dec. 18, 2006, or who had changes in their demographic information in that time. The hospital tape included names and limited other personal information: date of birth, sex, race, mother's maiden name, father's name and medical record number. The patient tape had no medical information, Social Security numbers, addresses or financial information of any kind.

University, hospital or health system employees who have been Johns Hopkins Hospital patients might have been listed on the hospital tape.

Letters are being sent to all affected Johns Hopkins University employees, current and former, and to all affected Johns Hopkins Hospital patients, except for those relatively few for whom addresses are unavailable, explaining the situation and addressing concerns. To provide additional information, a Web site has been established at www.jhu.edu/identityalert. For those without access to the Web, a telephone number has been established at 800-981-7524.

The backup tapes were to have been transferred to microfiche for archiving, a regular monthly practice for the university payroll information and a weekly practice for The Johns Hopkins Hospital patient demographics information. The university and hospital tapes were in the same shipment.

Officials said that the tapes were in no way connected to the HopkinsOne project.

The university's creation of monthly tapes for the purpose of making a microfiche backup of payroll data was standard operating procedure before HopkinsOne's Jan. 1 "go-live." Payroll then was handled by what are referred to as the university's "legacy" systems. The eight university payroll tapes in question were to be the last of their kind. Such tapes are not being created now that payroll is being processed under the HopkinsOne system. Determinations are still being made as to how Johns Hopkins will archive this kind of information under HopkinsOne.

In keeping with industry standards, the information was not being transported in encrypted form, in part because of the incompatibility of formats and equipment between vendors and customers. Johns Hopkins is changing its processes to ensure that data sent to third parties is encrypted, but that process is not yet universal.

The tapes, however, were not compatible with typical personal computers. In order to access the data, an unauthorized person would have needed specialized equipment that most computer users do not have.

The incident was not announced earlier, officials said, because of the complexity of the investigation, which involved both university and hospital data. In addition, time was needed to determine which employees (including former employees) and patients might be affected and to prepare to contact and inform them through a variety of means.

 

Answers to FAQs

The university employee tapes included bank account information for employees with direct deposit. What has Johns Hopkins done to protect our bank accounts?

In response to employee suggestions, the university has notified the banks that handle the majority of our direct deposit transactions. The university also has notified the check/fraud units of the Baltimore City and Baltimore County police departments and the Maryland Association for Bank Security.

The Bank of America offers this advice to detect and respond to fraud involving a bank account:

Review your bank statement as soon as you receive it.

Report problems or unauthorized transactions to your bank by calling the number for customer service listed on the bank statement.

To avoid liability for unauthorized transactions, notify the bank within 60 days of the statement date. If you do not notify the bank in writing within 60 days after the statement was mailed to you, you may not get back any money you lost after the 60 days.

Continue to monitor your checking and savings accounts on an ongoing basis.

Customers concerned about their bank accounts can go to a branch and request that "remarks" be placed on their accounts indicating potential fraudulent activity. But before you decide to do so, be sure to ask about what will happen as a result and how your access to your account may change.

Will Johns Hopkins pay for credit protection services for affected people?

People who, despite the very low risk, remain concerned about protecting themselves would be well advised to take advantage of their legal right to a free annual credit report. They may also consider the fraud alert service offered by the major credit bureaus and outlined in the document they received called "What should affected employees and patients do?" There is no charge for this service.

What can I do if I remain concerned, despite the low risk that my personal information will be misused?

A fraud alert tells creditors to contact you before they open any new accounts. To place a fraud alert on an account, contact any one of these three major credit bureaus:

Experian
888-397-3742
www.experian.com

Equifax
800-525-6285

TransUnionCorp
800-680-7289

As soon as one of the three bureaus confirms your fraud alert, the others are notified to place alerts on their records as well. You will then be able to order all three credit reports, free of charge, for your review. Placing fraud alerts does not affect your credit score. Doing so can, however, delay you significantly when you want to open new credit accounts.

I already have fraud alerts on my records. Can I place them again?

Fraud alerts last 90 days, and the system will let you know that alerts are already in place if you try to place them again before they expire. You will not be notified when fraud alerts expire, so note the date when you place them. You can place them every 90 days for as long as you wish.

What if I am concerned about my bank accounts?

You may want to consider contacting your bank and letting it know what has happened. Johns Hopkins believes the risk to any of your accounts as a result of this incident is very, very low. Simply keeping a close eye on your accounts should be sufficient. You can also request that your bank place an extra password on the account to make it even more secure.

I've gotten a phone call about this incident, but I'm suspicious. What should I do?

Do NOT respond to any unsolicited telephone or e-mail communication purportedly from Johns Hopkins asking you to provide personal identifying information. Johns Hopkins will not ask you to provide confidential information when contacting you in relation to this incident.

If, however, YOU call the toll-free number set up for Johns Hopkins patients and employees (800-981-7524), you may be asked for a limited amount of identifying information, such as name and address, so that the call center operators can be sure to provide you with correct information.

Sometimes criminals will attempt to prey on individuals who have been informed of a situation such as this. It is possible, for instance, that a criminal will call or e-mail you, claiming to be from Johns Hopkins, and ask you to "confirm" certain information. What the criminal would really be doing is trying to trick you into providing information that he or she does not already have and that could be used for identity theft.

GO TO FEBRUARY 12, 2007 TABLE OF CONTENTS.
GO TO THE GAZETTE FRONT PAGE.


The Gazette | The Johns Hopkins University | Suite 540 | 901 S. Bond St. | Baltimore, MD 21231 | 443-287-9900 | [email protected]