Breach handling done right: Johns Hopkins Hospital
In 2007, when Johns Hopkins learned that backup tapes had been lost in transit, I complimented them for their handling of the incident. They’ve managed to impress me yet again — which is no small feat — by their handling of a recent incident….
In February, this site posted a story about a breach that may have involved an employee at Johns Hopkins Hospital in Baltimore. In its notification (pdf) to the Maryland Attorney General’s Office of April 3, the hospital provides more information on what happened and their response [SEE CORRECATION BELOW: these incidents may be unrelated].
On January 20, the hospital became aware that there may have been a breach involving patient information. A multi-agency investigation that included the hospital’s own corporate security professionals subsequently suggested one particular employee assigned to patient registration as a possible source of the stolen information, but there may have been other sources outside of the hospital. Despite a lack of certainty that the employee had been responsible, the hospital decided to send notifications and offer free services to patients based on a three-tier level of risk assessment.
The first group compromised 31 out of 46 individuals identified by law enforcement as having been victims of ID theft. Those 31 individuals had some connection to Johns Hopkins, while the remaining 15 had no connection. The 31 individuals were offered two years of credit monitoring, call center assistance, fraud resolution services, and up to $30,000 in reimbursement for expenses incurred.
The second group was identified as individuals whose records the employee would have had access to over a 13-month period and who had a Virginia mailing address (due to the hypothesized link to the driver’s license ring). Those 526 individuals were offered the same services and benefits as the first group, but for one year.
The third group consisted of everyone else whose data the employee would have had access to and who presumably had their data accessed for legitimate business purposes. This group of 10,200 was notified of the situation and to monitor their credit reports, etc., but were not offered any free services.
Separate support web sites via ID Experts were set up for the three different tiers.
Copies of the notification letters to individuals, attached to the notification to the state, demonstrate that once again, Johns Hopkins writes a straight-forward letter that answers the questions most people would ask and takes meaningful steps to try to assist those affected.
I do not see any mention of this incident on their web site, which is something they did do in the 2007 incident, but other than that, I wish more entities would study this hospital’s responses to breaches and learn from them how to deal with patients or clients when despite best efforts, there’s been a breach.
CORRECTION: Bob McMillan of IDG News Service reports that a Johns Hopkins spokesperson says that the January arrest of an employee reported in the media in February was “separate from this latest incident.” Did Johns Hopkins have two separate incidents involving employee misconduct, then? Clearly, there’s more to find out in that regard.
Update 5-12-09A spokesperson for the hospital confirms that the two incidents involving employee misconduct were unrelated. According to Gary Stephenson, in the case reported in February, a single employee appeared to be involved and the number of Hopkins patients victimized was probably less than 10. All known victims were notified and offered restitution services. Both incidents are still under investigation, and it is not known whether the unnamed employee involved in the second incident has been arrested or charged, although the employee was terminated by the hospital.