1.6 Million Affected by Lost Backup Tapes

Children's Health System Offers Free Credit Monitoring
1.6 Million Affected by Lost Backup Tapes
About 1.6 million individuals are being offered one year's worth of free credit monitoring and identity theft protection following a breach incident stemming from the loss of three unencrypted backup tapes at a facility owned by a children's health system.

Patient billing and employee payroll information on the tapes, missing from a Wilmington, Del., facility owned by Nemours, includes names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information and direct deposit bank account information, Nemours reported in a statement on its website.

This is the second major breach reported in recent weeks involving the loss or theft of backup tapes. In the other recent incident, TRICARE, the military health program, is notifying 4.9 million individuals about a breach stemming from the theft of backup tapes from the car of an employee at business associate Science Applications International Corp. That incident is the largest reported, based on the number of individuals affected, since the HIPAA breach notification rule took effect September 2009. The Nemours incident ranks as the fourth largest breach.

Nemours reports the backup tapes were stored in a locked cabinet, and the cabinet and tapes were reported missing Sept. 8. They are believed to have been removed on or about Aug. 10 during a facility remodeling project, Nemours said in a statement on its website.

The tapes had been stored since a computer systems conversion completed in 2004. Information on the tapes, mainly from 1994 to 2004, includes details on patients and their guarantors, vendors and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida, Nemours said.

"There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused," according to Nemours' statement. "Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes."

Nevertheless, Nemours reported it's taking steps to strengthen its data security practices, including "moving toward encryption of all computer backup tapes and moving non-essential computer backup tapes to a secure off-site storage facility."

Under the HIPAA breach notification rule, mandated under the HITECH Act, breaches of information that's been properly encrypted using a national standard do not have to be reported.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network