University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America to transport the patient data was broken into in downtown Florida on 17 March. Thieves removed a transport case carrying the school's computer backup tapes, she said.
For reasons Menendez could not explain, Archive America waited 48 hours before finally notifying the university on 19 March about the break-in and theft. Officials from the transport firm couldn't be reached.
The university posted an alert about the incident on 17 April, a full month after the backup tapes were stolen. In a statement, said Pascal J. Goldschmidt, MD, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said: "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
Since the incident, Menendez said that the university temporarily stopped transporting back-up data off-site. "At this point we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better," she said.
Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft," she noted.
The stolen backup tapes hold names, addresses, Social Security numbers, and health information on all patients at university medical facilities since 1 January, 1999. Financial data from approximately 47,000 people may be on the missing tapes, said Mendendez. Each potential victim has been contacted by the school, she said.
After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed. Menendez said security experts at Terremark Worldwide. "tried for days" to decode the data but could not due to proprietary compression and encoding tools used to write data to the storage tapes.
"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information," remarked Menendez.
The school regularly sends its data off-site as a precaution against hurricanes and other natural disasters. The university has set up a FAQ on its website, call centre and hotline to handle any inquiries about the data theft.