Quick Facts

• Date: 10/22/2010
• Institution: Johns Hopkins Universtiy
• Type of Incident: Unauthorized Disclosure
• Number Affected: 692
• Source: DataBreaches.net
• Abstract Source: DataBreaches.net

Abstract
Johns Hopkins University recently notified the Department of Health and Human Services of a security incident involving personal information of the dependents of employees in the university's Applied Physics Laboratory. DataBreaches.net and PHIPrivacy.net were able to reach out to Johns Hopkins University and obtain more information on this incident. It appears that an email message was sent out to some APL employees with an attachment containing the parent names, dependent names, dependent Social Security numbers, dependent dates of birth, dependent martial statuses, and dependent medical and dental coverage status for 695 individuals. The email in question was sent to 85 APL employees. Once the mistake was discovered, APL's IT staff immediately deleted the email from the all 85 email accounts and from the central email server. In addition, all 85 APL staff submitted written verification that they had not printed or copied the email and no longer have any access to the information. As a precaution, APL is offering one year of free credit monitoring to those individuals affected by the incident through Trusted ID. To help prevent a similar incident in the future, APL is implementing the following changes:

• Changed document naming methodology to differentiate between documents to avoid attaching incorrect documents.
• Required all data extracts from its database that includes sensitive data to be encrypted or password protected.
• All Staff Benefits Office staff will be trained in the proper methods of encryption.
• Required that all e-mails sent by the Staff Benefits Office to 5 or more staff members that include any attachment to be reviewed by another team member to ensure the proper document is attached.
• Will explore future capability of automated flagging of any electronic communications sent by Staff Benefits Office team members containing potentially sensitive data such as 9-digit numbers.

Quick Facts

• Date: 6/17/09
• Institution: Johns Hopkins University - Applied Physics Laboratory
• Type of Incident: Penetration
• Number Affected: N/A
• Source: ESI
• Abstract Source: The Baltimore Sun

Abstract
The Web site for the Johns Hopkins University's Applied Physics Laboratory (APL) has been taken off line as staff investigate a cyber attack discovered Sunday. The APL, which performs research on military and NASA projects, found that an unknown individual penetrated the Web site and gained access to unclassified information. According to APL officials, the attacker(s) did not gain access to any internal systems or classified information. While the investigation is still ongoing, it appears that the attack may have started two weeks ago. An APL spokesperson said that while the web site has had minor security breaches in the past, this recent attack has been one of the most significant to date.

Quick Facts

• Date: 9/1/2007
• Institution: Johns Hopkins University
• Type of Incident: Theft
• Number Affected: 5,783
• Source: ESI, Pogo Was Right
• Abstract Source: Baltimore Sun
• Update1 Source: Baltimore Sun

Abstract
Johns Hopkins University waited five weeks before notifying patient and their families about the theft of a desktop computer containing patient information. The computer, taken from an "administrative area" of Johns Hopkins on July 15, contained patient names, Social Security numbers, dates of birth, medical history and other personal information. According to University officials, the computer was secured to the desk by a steel cable and it was password-protected. However, the computer did not contain an encryption software to protect the data nor was a the data password-protected. According to Gary Stephenson, Hopkins spokesperson, police were notified about the breach two weeks after the computer went missing but the university delayed notification due to fears public notice "might sabotage the efforts" to recover the computer. Johns Hopkins is offering to pay for a year of credit monitoring services for affected patients.

Update1
The computer stolen from Johns Hopkins University has reportedly been returned to the university by an attorney acting on the behalf of an unnamed client. Michael Mastracci, a Baltimore attorney, says that he learned the whereabouts of the computer from a client and arranged to have the computer returned to Hopkins but refused to go into detail with the press citing attorney-client privilege. After examining the computer, Hopkins officials say there is no evidence that the information on the computer was compromised or that the computer was turned on at all. Based on video surveillance footage, authorities issued criminal summonses for a Hopkins employee and an employee of an on-site vendor.

Quick Facts

• Date: 2/7/2007
• Institution: Johns Hopkins University
• Type of Incident: Loss
• Number Affected: 52,000
• Source: Attrition.org
• Abstract Source: Delmarva 47 News

Abstract
Johns Hopkins University and Johns Hopkins Hospital recently reported the loss of 9 data tapes containing the personal information of university employees and hospital patients. According to university officials, 8 of these tapes contained information such as the names, Social Security numbers and bank account information on as many as 52,000 JHU employees. The ninth tape appears to contain 83,000 patient records. However, hospital officials were quick to point out that this ninth tape dose not contain sensitive or private information. Officials from both say that there is no evidence that the tapes were stolen or misused. These officials believe that a courier must have simply left the tapes at another stop and that these tapes were destroyed.