[ISN] U. theft threatens patients' privacy

From: InfoSec News (alerts@private)
Date: Wed Jun 11 2008 - 01:02:13 PDT


http://www.sltrib.com/ci_9540210

By Melinda Rogers
The Salt Lake Tribune
06/11/2008

University of Utah Hospital and Clinics patients are bracing for the 
unknown as police and prosecutors investigate the theft of 2.2 million 
billing records filled with personal information.
    
Authorities say the records, stolen out of a courier's personal vehicle 
earlier this month, put the private data of patients from the past 16 
years at risk.
    
Tuesday's news was especially unsettling for people like Will Taylor, of 
West Valley City, whose premature daughter is a patient at University 
Hospital. Taylor has already been the victim of identity theft once, 
when thieves racked up credit card charges in his name.
    
Even so, he was not panicking yet.
    
"I will ask [the hospital] what precautions I can take and what they are 
doing about it," he said.
    
Measures so far include offering free credit monitoring services for at 
least 1.3 million patients whose Social Security numbers were 
compromised, and a $1,000 reward for the return of the tapes - no 
questions asked.
    
Salt Lake County Sheriff Jim Winder and Lorris Betz, a senior vice 
president for health sciences for University Health Care, say the stolen 
records were on backup tapes designed to safeguard the records in case 
materials housed in the hospitals and clinics were destroyed.
    
The tapes were taken from the vehicle of an employee of Sandy-based 
Perpetual Storage Inc. near the employee's Kearns home on June 2.
    
The employee had been assigned to pick up the tapes in a secure company 
van and transport them to an off-site vault, said James Nowa, a vice 
president for sales and marketing for Perpetual Storage. He violated 
company policy by taking them home and leaving them in his car.
    
A thief then broke into the employee's vehicle near 5200 South and 5000 
West, stealing a metal box holding the tapes, Winder said.
    
Nowa said the 18-year veteran employee has been fired, and the incident 
is the first of its kind he knows of in the company's 40-year history.
    
An investigation is ongoing, but the theft appears to be the work of 
inexperienced criminals who likely believed the metal box containing the 
tapes was filled with cash, said Winder. After collaborating with the 
FBI, Winder said it's unlikely the tapes were stolen to commit identity 
theft.
    
There's no evidence any of the information on the tapes has been 
accessed; besides, anyone trying to use the tapes would need specialized 
equipment to view the contents, Winder said.
    
But there are also no guarantees.
    
"If our information isn't safe, then what is?" patient Dan Christenson, 
of Salt Lake City, said Tuesday after learning of the theft.
    
Christenson regularly monitors his credit and bank accounts online. He 
said he now will check those reports more frequently.
    
Melodie Rydalch, spokeswoman for the U.S. Attorney's Office, said the 
FBI and the Utah Identity Task Force, which includes local and county 
law enforcement agencies, is investigating the thefts. She warned of 
federal penalties for anyone who uses stolen identities.
    
Betz said the university delayed releasing news of the security breach 
to the public until the sheriff's office had completed an initial 
investigation.
    
"We understand this is unwelcome news to our patients," said Betz.
    
The university had worked with Perpetual Storage for 12 years before the 
theft but suspended deliveries after the incident, Betz said. An 
assessment of university data security policies and procedures is under 
way, he said.
    
* Tribune reporters PAMELA MANSON and CARLOS MAYORGA contributed to this 
  report.
   
-=-   
   
Keeping an eye on your credit, warding off ID theft

    * Free credit monitoring services will be provided for patients 
      whose social security number was compromised. Information on the 
      services will be included in a letter to patients.

    * Consumers can lock their credit lines by contacting the nation's 
      three credit bureaus individually (http://www.transunion.com, 
      http://www.experian.com, http://www.equifax.com). The precaution 
      means anytime you apply for a mortgage, car loan, credit card, 
      department store account or any other type of credit, you will 
      have to confirm your identity and unlock your credit report.

    * The Utah Attorney General's Office sponsors the Identity Theft 
      Reporting Information System to assist victims of identity theft 
      at www.idtheft.utah.gov.

    * A $1,000 reward is being offered for the return of the stolen 
      tapes - no questions asked. Call the Salt Lake County Sheriff's 
      Office at 801-743-7000.

-=-      
   
What's missing and how to get help

    * Stolen patient information can include driver license numbers, 
      birth dates, physicians' names, insurance providers and procedure 
      codes designed for billing purposes. Social Security numbers were 
      also listed for 1.3 million patients. Credit card information was 
      not in the stolen records.
    
    * A Web site has been set up to answer questions related to the 
      theft, http://healthcare.utah.edu/billingrecordstheft;  or call 
      the help line, 866-581-3599. Patients will receive notification 
      and additional information by mail if their records were 
      compromised.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 11 2008 - 01:08:35 PDT