Nemours Reports Missing Backup Tapes Contain Patient and Payroll Data on 1.6 Million
Three unencrypted computer backup tapes containing patient billing and employee payroll data have been reported missing from a Nemours facility in Wilmington, Delaware. The tapes were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project.
There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.
“This is an isolated incident unrelated to patient care and safety,” said David J. Bailey, M.D., President and Chief Executive Officer. “The privacy of our patients, their families, and our employees and business partners is a high priority to all of us at Nemours.”
The information on the tapes dates principally between 1994 and 2004 and relates to approximately 1.6 million patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida. The missing backup tapes contained information such as name, address, date of birth, Social Security number, insurance information, medical treatment information, and direct deposit bank account information.
Nemours is notifying individuals who may have been affected and offering them one year of free credit monitoring and identity theft protection as well as call center support. Additionally, Nemours is taking immediate steps to strengthen its data security practices. These include moving towards encrypting all computer backup tapes and moving non-essential computer backup tapes to a secure off-site storage facility.
Source: Nemours Press Release
Update 11-4-2011: When this incident was reported to HHS, the number affected indicated was 1,055,489. It’s not clear which is the more current or accurate number.