Personal Data of University of Miami Patients Stolen

CORAL GABLES, Fla. – In March, back-up tapes containing the confidential data of approximately 47,000 University of Miami (UM) patients were taken from a truck owned by a storage company.

Information from patients of a UM physician or who visited a UM medical facility since Jan. 1, 1999 may have been affected. However, according to UM officials, it is unlikely a thief would be able to access the backup tapes because of the complex and proprietary format in which they were written.

On April 17, UM released the following statement regarding the data breach:

“A private off-site storage company used by the University of Miami has notified the University that a container carrying computer back-up tapes of patient information was stolen. The tapes were in a transport case that was stolen from a vehicle contracted by the storage company on March 17 in downtown Coral Gables, the company reported. Law enforcement is investigating the incident as one of a series of petty thefts in the area.

Shortly after learning of the incident, the University determined it would be unlikely that a thief would be able to access the backup tapes because of the complex and proprietary format in which they were written. Even so, the University engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of backup tapes.

“For more than a week my team devised a number of methods to extract readable data from the tapes,” said Christopher Day, senior vice president of the Secure Information Services group at Terremark. “Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.” Day said that his team also determined that even in the unlikely event that a thief had a copy of the same software used to write the tapes, “It would require certain key data which is not stored on the tapes before the software would make the data readable.”

Alan Brill, senior managing director at Kroll Ontrack, who was asked by the University to review the testing that had been done, said: “While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.”

Based on this information, the University believes misuse of the information on the tapes is unlikely.

“Even though I am confident that our patients’ data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter,” said Pascal J. Goldschmidt, M.D., senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine.

Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes. The data included names, addresses, Social Security numbers, or health information. The University will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.

The University’s permanent records are not affected; all patient information remains current, protected, and appropriately available on UM computer systems.

Back-up tapes are stored off-site to facilitate the recovery of the University’s computer systems in the event of a disaster, such as a hurricane or fire. This is standard practice for many organizations. To address the possible concerns of all our patients, the University has created a Website to serve as the principal source of information about this incident: www.dataincident.miami.edu. As a back-up for the Website, a call center has been established at 1-866-628-4492.

Related articles:

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Get Our Newsletters
Campus Safety Conference promo