U Miami: Stolen Back-up Data 'Unlikely' To Be Misused

• By David Nagel
• 04/17/08

The University of Miami reported Thursday that computer back-up tapes containing personal information from some 2.1 million patients were stolen from a third-party storage facility in March. The university said it's confident that the information on those tapes is inaccessible to the thieves but is notifying patients anyway.

The data on the tapes had been encrypted, and the university contracted with an outside firm to test the strength of that encryption, finding that "misuse of the information on the tapes is unlikely," according to U Miami. Nevertheless, the university is in the process of notifying all 47,000 people whose financial information could have been exposed by the theft. U Miami said anyone who has been a patient of a U Miami physician or has visited a U Miami facility since 1999 could have their data on those tapes. The 47,000 figure includes only those whose financial information may have been in the back-up data. The total number of individuals whose information was on those tapes was 2.1 million, a U Miami representative told Campus Technology.

"Shortly after learning of the incident," U Miami reported, "the university determined it would be unlikely that a thief would be able to access the backup tapes because of the complex and proprietary format in which they were written. Even so, the university engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of backup tapes."

According to Terremark, the security firm spent a week trying to break the encryption on the tapes and could not come up with any usable data. According to Christopher Day, senior vice president of the Secure Information Services group at Terremark, breaking the encryption would "require certain key data which is not stored on the tapes...."

Included on the tapes were patient records that contained names, addresses, Social Security numbers, health information, and/or credit card and other financial information.

"Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship we should be transparent in this matter," said Pascal J. Goldschmidt, senior vice president for medical affairs and dean of the University of Miami Miller School of Medicine, in a statement released today.

Further information about the incident can be found here.