Johns Hopkins university and hospital has announced that backup tapes containing payroll data on 52,000 workers and medical information on 83,000 patients were lost last month, and are thought to have been destroyed.
Nine backup tapes that were shipped in late December by courier to a Baltimore-area contractor for conversion to microfiche were never returned, Johns Hopkins authorities said in letters and emails sent to former patients and current and former employees. On 18 January, Johns Hopkins discovered that the tapes had not been returned; Normally, backup tapes and the resulting microfiche are received within two weeks of their reaching the contractor.
"The investigation concluded that the tapes never reached the contractor. Johns Hopkins believes that the courier mistakenly left the box containing the tapes at another stop," the university said in a statement. "The shipping area at that other stop is generally full of boxes which are placed in a dumpster. Johns Hopkins believes it is highly likely that the tapes were thought to be rubbish, collected and incinerated."
Eight of the nine tapes contained payroll information on 20,000 former and 32,000 current employees of John Hopkins University. The data on the unencrypted tapes included employee names, Social Security numbers, birth dates and - in cases where employees were paid by direct deposit - bank account information.
The ninth backup tape contained the names of 83,000 hospital patients, their parents' names, race, sex, date of birth and medical record numbers. The patients affected were seen between 4 July and 18 December, 2006, John Hopkins said.
"Our best information is that the tapes have been destroyed," William Brody, president of Johns Hopkins University, said in a statement yesterday. "Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorised hands. I apologise to all affected employees and patients. We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again."
The school and hospital have set up websites and toll-free telephone numbers to answer questions from workers and patients.
Data losses involving universities and health care organisations aren't unusual. According to the Privacy Rights Clearinghouse, which tracks breaches and other data misadventures, the most recent large loss to a university was the 2 February disclosure by the University of Missouri about a January hack that involved files on nearly 4,000 researchers. On 26 January, meanwhile, tapes containing records of 50,000 members of Virginia-based Anthem Blue Cross Blue Shield were stolen from a lock box.