The theft of backup computer disks and tapes from the car of a Providence Home Services employee has forced the company to notify 365,000 of its patients that their private details have been compromised. Access to such data is today highly prized by criminals, suggesting that the theft was planned.
Around 365,000 clients of Providence Home Services, which provides healthcare services in the states of Oregon and Washington, have received notification that their private details and medical records were on the backup disks and tapes that were stolen.
A spokesman for Providence Home Services, a subsidiary of Providence Health Systems, announced that several disks and computer tapes containing private data were stolen from a car outside an employee's home. Designated company workers took home duplicate disks and tapes every night as part of a backup intended to guarantee access to critical information in case of an emergency such as a fire at primary offices. Following the incident this practice has since been stopped.
All the information on the tapes was encrypted and all the files on the disks were copied using a corporate data format. According to a Providence Home Services representative, it is theoretically possible to extract some useful information from the disks, though in practice it is very unlikely. The company has now decided to encrypt all its backup data.
There have been no reports of the stolen information being used for illicit purposes, as yet. Nevertheless, all those affected have been receiving letters notifying them of the incident, which took place on Dec. 31, 2005. The company said the delay of over four weeks was necessary in order to gather the relevant information that was stored on the stolen items and find out exactly who had been affected.
The disks (where the information was not encrypted) contained the names, addresses, dates of birth, the names of doctors, insurance details, diagnoses, doctors' prescriptions, and the results of medical tests. The disks also contained the social security numbers of around 250,000 patients and, in a few cases, their financial details.
It is noteworthy that nothing else of value was taken by the criminal, suggesting the thief was deliberately targeting the information on the backup disks and tapes. Most similar data thefts are the result of some valuable item such as a laptop being stolen. Information, it seems, has now become one of the most valuable items of our age.
"The affected company turned out to be one of the first to actually encrypt something which was later stolen. However, even this was limited to the data tapes, and not the disks. This points to the lack of an integrated approach to ensuring IT security, and a lack of control over confidential information in the corporate environment," says Denis Zenkin, marketing director at InfoWatch.
Source: Providence Health Systems