http://deseretnews.com/dn/view/0,1249,650203974,00.html
By Lois M. Collins
Deseret Morning News
November 3, 2006
More than 6,000 people who worked for Intermountain Healthcare's central
urban region in 1999 have learned that a file listing their Social
Security numbers was briefly for sale for $20.
The good news, according to Intermountain, is the man who unknowingly
bought the data didn't compromise anyone. And steps have been taken to
see it never happens again.
What happened when an old laptop from Intermountain's human-resources
department was donated to Deseret Industries recently is a cautionary
tale for employers who think they've scrubbed important information off
discarded hard drives and those who still use Social Security numbers to
identify employees.
The laptop contained information on hospital employees working at LDS,
Cottonwood, and Alta View hospitals and the Orthopedic Speciality
Hospital in 1999-2000, said Intermountain spokesman Jess Gomez whose own
Social Security number was contained in the data file. The file listed
names, Social Security numbers, telephone numbers, job title and an
evaluation term to describe the type of employee. No patient information
was on the laptop.
The laptop had actually been "scrubbed" before it was donated, said
Gomez, but for unknown reasons, the one file survived. When a man bought
the laptop and started examining it, he found the file and took it to
KUTV, which notified Intermountain.
"At that point, the hard drive wasn't functioning, but when our techs
put it in another computer, they could pull up the file, and yes, it
contained that information," Gomez said.
Last week, 27,000 active employees and 3,400 former employees were
notified. Intermountain said it would pay for credit monitoring for
anyone who was worried, human-resource director Nancy Adams said.
Intermountain also set up a dedicated hotline for anyone with concerns
about what was being done to protect them. Adams said they've had 79
calls.
Intermountain Healthcare stopped using Social Security numbers to
identify employees two or three years ago, assigning each employee a
randomly selected identification number, Adams said.
As a result of this incident, Intermountain no longer "scrubs" hard
drives when computers are no longer to be used. The company has a
contract with Dell to physically demolish the hard drives, she said.
"As someone who was on that list, I feel good that all the steps were
taken to protect us," Gomez said. "We work hard to make sure patients
and employees are as safe and protected as possible. The process in
place was followed. The software program simply missed the one file. And
thanks to the gentleman that purchased the laptop, we're certain no
information was compromised."
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Nov 05 2006 - 23:25:59 PST