Hopkins Waits Five Weeks To Disclose Data Theft
Quick Facts
- Date: 9/1/2007
- Institution: Johns Hopkins University
- Type of Incident: Theft
- Number Affected: 5,783
- Source: ESI, Pogo Was Right
- Abstract Source: Baltimore Sun
- Update1 Source: Baltimore Sun
Abstract
Johns Hopkins University waited five weeks before notifying patient and their families about the theft of a desktop computer containing patient information. The computer, taken from an "administrative area" of Johns Hopkins on July 15, contained patient names, Social Security numbers, dates of birth, medical history and other personal information. According to University officials, the computer was secured to the desk by a steel cable and it was password-protected. However, the computer did not contain an encryption software to protect the data nor was a the data password-protected. According to Gary Stephenson, Hopkins spokesperson, police were notified about the breach two weeks after the computer went missing but the university delayed notification due to fears public notice "might sabotage the efforts" to recover the computer. Johns Hopkins is offering to pay for a year of credit monitoring services for affected patients.
Update1
The computer stolen from Johns Hopkins University has reportedly been returned to the university by an attorney acting on the behalf of an unnamed client. Michael Mastracci, a Baltimore attorney, says that he learned the whereabouts of the computer from a client and arranged to have the computer returned to Hopkins but refused to go into detail with the press citing attorney-client privilege. After examining the computer, Hopkins officials say there is no evidence that the information on the computer was compromised or that the computer was turned on at all. Based on video surveillance footage, authorities issued criminal summonses for a Hopkins employee and an employee of an on-site vendor.
