A container carrying computer back-up tapes containing information on 2.1 million patients was stolen from the University of Miami (UM) in March. University officials said they are confident that the information on those tapes is inaccessible to the thieves but has notified patients anyway.
Shortly after learning of the incident, the University determined it would be unlikely that a thief would be able to access the back-up tapes because of the complex and proprietary format in which they were written. However, the University engaged computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of back-up tapes.
The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, Terremark reported.
“For more than a week my team devised a number of methods to extract readable data from the tapes,’’ said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.’’
Day said that his team also determined that even in the unlikely event that a thief had a copy of the same software used to write the tapes, “it would require certain key data which is not stored on the tapes before the software would make the data readable.’’
Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing process, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.’’ Based on this information, the University believes misuse of the information on the tapes is unlikely.
Anyone who has been a patient of a UM physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers and/or health information. The University is notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.
The University’s permanent records are not affected; all patient information remains current, protected and appropriately available on UM computer systems.
To address the possible concerns, the University has created a website to serve as the principal source of information about this incident: www.dataincident.miami.edu.