University of Miami officials last week acknowledged that six backup tapes from its medical school that contained more than 2 million medical records was stolen in March from a van that was transporting the data to an off-site facility.
Jacqueline Menendez, vice president of communications at the university, said a vehicle used by Archive America Ltd. to transport the patient data was broken into in downtown Coral Gables, Fla., on March 17. Thieves removed a transport case carrying the school's computer backup tapes, she said.
For reasons Menendez could not explain, Archive America waited 48 hours before finally notifying the university on Mar. 19 about the break-in and theft. Officials from the transport firm couldn't be reached.
The university posted an alert about the incident on April 17, a full month after the backup tapes were stolen. In a statement, Doctor Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, said, "Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter."
Since the incident, Mendendez said that the university temporarily stopped transporting backup data off-site. "At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better," she said.
Coral Gables law enforcement officials, who are investigating the incident, have informed the school that it was likely a "random theft," Mendendez noted.
The stolen backup tapes hold names, addresses, Social Security numbers and health information all patients at university medical facilities since Jan. 1, 1999. Financial data from approximately 47,000 people may be on the missing tapes, said Mendendez. Each potential victim has been contacted by the school, she said.
After learning about the data breach, the university contacted local computer forensics companies to see if data on a similar set of backup tapes could be accessed. Menendez said security experts at Terremark Worldwide Inc. "tried for days" to decode the data but could not because of proprietary compression and encoding tools used to write data to the storage tapes.
"The university feels confident that the person who took [the tapes] doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information," remarked Menendez.
The school regularly sends its data off-site as a precaution against hurricanes and other natural disasters. The university has set up an FAQ on its Web site, a call center and a hot line to handle any inquiries about the data theft.