February 11, 2007
Johns Hopkins, the corporate parent of Johns Hopkins University,
has disclosed that a contractor lost computer tapes containing
information on 83,000 patients of the Johns Hopkins hospital system,
as well as 52,000 employees.
The contractor had received nine tapes from Johns Hopkins to back up to microfiche, but had not returned the tapes on schedule.
Eight of the tapes contained "sensitive" personal information on Johns Hopkins employees, including employee payroll data, Social Security numbers, and bank account data for current and retired employees of the Johns Hopkins system.
The ninth tape contained "less sensitive" patient information from visitors to the hospitals between July and December 2006. Johns Hopkins claimed that the patient tape only included names and dates of birth.
(http://www.jhu.edu/news/univ07/feb07/statement.html)Johns Hopkins said it and the unidentified contractor investigated and determined that the tapes were thrown in the trash.
The university called the risk of identity theft from the breach "very low" but gave no hint how it had arrived at this determination.
Johns Hopkins has set up a Web site for employees and patients affected by the breach, providing contact information and credit protection options for potential victims.
Johns Hopkins University president William Brody apologized to the affected for the breach, saying that, "We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again."
Congress' Call To Action
The Johns Hopkins breach was revealed only a day before Congress introduced a flurry of new legislation to deal with data breaches.
One bill, the "Personal Data Privacy and Security Act," would mandate data breach disclosures and would require companies to identify the information they collect on individuals.
Co-sponsored by Senators Patrick Leahy (D-VT) and Bernie Sanders (I-VT), the Act would also enable individuals to contact data broker companies and correct the information collected about them.
Not to be outdone, the House of Representatives put four bills on the table that deal with data security.
One -- the "Data Accountability and Trust Act" -- would empower the Federal Trade Commission (FTC) to create requirements for companies to protect and dispose of data they collect.
The FTC would conduct audits of companies that announced data breaches, and like the Leahy-Sanders bill, the legislation would enable consumers to correct errors in background and credit reports.
Another bill, proposed by Reps. Ed Markey (D-MA) and Joe Barton (R-TX) would make it unlawful for companies to sell or resell Social Security numbers. However, the legislation would allow numerous exemptions, including law enforcement and public health agencies.
Much of the legislation proposed by Congress to combat data breaches has been criticized for preempting stronger state laws, and enabling too many exemptions for businesses and government agencies to avoid disclosing breaches or providing stronger security measures.
