Missing Data Tapes Reported
No evidence that the tapes were stolen or that the data was
In a joint statement released last week, The Johns
Hopkins University and The Johns Hopkins Hospital announced
that they had become aware on Jan. 18 that eight backup
computer tapes containing sensitive personal information on
about 52,000 university employees had not been returned as
expected by a contractor that routinely makes microfiche
backups of such data. On Jan. 26, as an intensive
investigation was under way, it was learned that a ninth
tape, containing less sensitive personal information on
approximately 83,000 patients at the hospital, had also not
been returned as expected from the contractor.
All nine tapes had been sent to the contractor's
Baltimore-area facility on Dec. 21. The investigation by
both the contractor and Johns Hopkins has determined that
the tapes never reached the facility. It also concluded
that it is highly likely that the tapes were mistakenly
left at another stop by a courier company hired by the
contractor. They were thought to be trash, collected and
There is no evidence, officials said, to indicate that
the tapes were stolen or that the data on them has been
Johns Hopkins knows of no evidence of identity theft
arising from this incident and believes that the risk of
any such problems is very, very low.
"Our best information is that the tapes have been
destroyed," said university President William R. Brody.
"Nevertheless, we are concerned that there was ever even a
possibility that the information on them was out of
authorized hands. On behalf of Johns Hopkins, I apologize
to all affected employees and patients. We will review our
processes and procedures and make any appropriate changes
in an effort to ensure that this does not happen again."
Johns Hopkins' conclusion is based on the findings of
the experienced investigators who worked on this for both
the Homewood and East Baltimore security departments. The
investigation included interviews with the relevant people
at the contractor and the courier service, including the
courier himself; a review of the security tapes at the
contractor (which confirm that the tapes never arrived
there); corroborating interviews from people at the only
other stop along the courier's route; a background check on
the courier; and the courier's volunteering to take and
then passing a polygraph examination.
In short, officials said, the investigators believe
the courier's recollection that he put the box of tapes on
the floor at his other stop and his conclusion that he must
have mistakenly left them there. That leaves, in their
minds, only the question of whether the box was tossed into
the Dumpster with the load that was later incinerated.
Though they believe that is highly likely, it cannot be
proven. That is why Johns Hopkins concluded that, even
though it believes the tapes most likely no longer exist,
it should notify affected employees and patients.
Eight of the tapes contained university payroll files
with sensitive personal information on a total of 52,567
present and former employees from all divisions except the
Applied Physics Laboratory, which has a payroll system
separate from the rest of the university's. Included are
employees, retirees and students who have held campus jobs
in the Baltimore-Washington area, elsewhere in Maryland,
elsewhere in the United States and in other countries.
Specifically, these are 32,091 employees who were paid
anytime in 2006 as well as 20,476 people who were
maintained in a master file but who were not paid in
The information included names, addresses, Social
Security numbers and, for employees with direct deposit,
bank account information. There was also information on
birth dates, salary, deductions and retirement plan
The ninth tape held personal information on more than
83,000 patients of the hospital, all of whom either were
new patients first seen between July 4, 2006, and Dec. 18,
2006, or who had changes in their demographic information
in that time. The hospital tape included names and limited
other personal information: date of birth, sex, race,
mother's maiden name, father's name and medical record
number. The patient tape had no medical information, Social
Security numbers, addresses or financial information of any
University, hospital or health system employees who have
been Johns Hopkins Hospital patients might have been listed
on the hospital tape.
Letters are being sent to all affected Johns Hopkins
University employees, current and former, and to all
affected Johns Hopkins Hospital patients, except for those
relatively few for whom addresses are unavailable,
explaining the situation and addressing concerns. To
provide additional information, a Web site has been
www.jhu.edu/identityalert. For those without access to
the Web, a telephone number has been established at
The backup tapes were to have been transferred to
microfiche for archiving, a regular monthly practice for
the university payroll information and a weekly practice
for The Johns Hopkins Hospital patient demographics
information. The university and hospital tapes were in the
Officials said that the tapes were in no way connected
to the HopkinsOne project.
The university's creation of monthly tapes for the
purpose of making a microfiche backup of payroll data was
standard operating procedure before HopkinsOne's Jan. 1
"go-live." Payroll then was handled by what are referred to
as the university's "legacy" systems. The eight university
payroll tapes in question were to be the last of their
kind. Such tapes are not being created now that payroll is
being processed under the HopkinsOne system. Determinations
are still being made as to how Johns Hopkins will archive
this kind of information under HopkinsOne.
In keeping with industry standards, the information
was not being transported in encrypted form, in part
because of the incompatibility of formats and equipment
between vendors and customers. Johns Hopkins is changing
its processes to ensure that data sent to third parties is
encrypted, but that process is not yet universal.
The tapes, however, were not compatible with typical
personal computers. In order to access the data, an
unauthorized person would have needed specialized equipment
that most computer users do not have.
The incident was not announced earlier, officials
said, because of the complexity of the investigation, which
involved both university and hospital data. In addition,
time was needed to determine which employees (including
former employees) and patients might be affected and to
prepare to contact and inform them through a variety of
Answers to FAQs
The university employee tapes included bank account
information for employees with direct deposit. What has
Johns Hopkins done to protect our bank accounts?
In response to employee suggestions, the university
has notified the banks that handle the majority of our
direct deposit transactions. The university also has
notified the check/fraud units of the Baltimore City and
Baltimore County police departments and the Maryland
Association for Bank Security.
The Bank of America offers this advice to detect and
respond to fraud involving a bank account:
Review your bank statement as soon
as you receive it.
Report problems or unauthorized
transactions to your bank by calling the number for
customer service listed on the bank statement.
To avoid liability for
unauthorized transactions, notify the bank within 60 days
of the statement date. If you do not notify the bank in
writing within 60 days after the statement was mailed to
you, you may not get back any money you lost after the 60
Continue to monitor your checking
and savings accounts on an ongoing basis.
Customers concerned about their bank accounts can go to a
branch and request that "remarks" be placed on their
accounts indicating potential fraudulent activity. But
before you decide to do so, be sure to ask about what will
happen as a result and how your access to your account may
Will Johns Hopkins pay for credit protection services
for affected people?
People who, despite the very low risk, remain
concerned about protecting themselves would be well advised
to take advantage of their legal right to a free annual
credit report. They may also consider the fraud alert
service offered by the major credit bureaus and outlined in
the document they received called "What should affected
employees and patients do?" There is no charge for this
What can I do if I remain concerned, despite the low
risk that my personal information will be misused?
A fraud alert tells creditors to contact you before
they open any new accounts. To place a fraud alert on an
account, contact any one of these three major credit
As soon as one of the three bureaus confirms your
fraud alert, the others are notified to place alerts on
their records as well. You will then be able to order all
three credit reports, free of charge, for your review.
Placing fraud alerts does not affect your credit score.
Doing so can, however, delay you significantly when you
want to open new credit accounts.
I already have fraud alerts on my records. Can I place
Fraud alerts last 90 days, and the system will let you
know that alerts are already in place if you try to place
them again before they expire. You will not be notified
when fraud alerts expire, so note the date when you place
them. You can place them every 90 days for as long as you
What if I am concerned about my bank accounts?
You may want to consider contacting your bank and
letting it know what has happened. Johns Hopkins believes
the risk to any of your accounts as a result of this
incident is very, very low. Simply keeping a close eye on
your accounts should be sufficient. You can also request
that your bank place an extra password on the account to
make it even more secure.
I've gotten a phone call about this incident, but I'm
suspicious. What should I do?
Do NOT respond to any unsolicited telephone or e-mail
communication purportedly from Johns Hopkins asking you to
provide personal identifying information. Johns Hopkins
will not ask you to provide confidential information when
contacting you in relation to this incident.
If, however, YOU call the toll-free number set up for
Johns Hopkins patients and employees (800-981-7524), you
may be asked for a limited amount of identifying
information, such as name and address, so that the call
center operators can be sure to provide you with correct
Sometimes criminals will attempt to prey on
individuals who have been informed of a situation such as
this. It is possible, for instance, that a criminal will
call or e-mail you, claiming to be from Johns Hopkins, and
ask you to "confirm" certain information. What the criminal
would really be doing is trying to trick you into providing
information that he or she does not already have and that
could be used for identity theft.
GO TO FEBRUARY 12,
TABLE OF CONTENTS.
GO TO THE GAZETTE