1.6 Million Affected by Lost Backup Tapes
Children's Health System Offers Free Credit MonitoringPatient billing and employee payroll information on the tapes, missing from a Wilmington, Del., facility owned by Nemours, includes names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information and direct deposit bank account information, Nemours reported in a statement on its website.
This is the second major breach reported in recent weeks involving the loss or theft of backup tapes. In the other recent incident, TRICARE, the military health program, is notifying 4.9 million individuals about a breach stemming from the theft of backup tapes from the car of an employee at business associate Science Applications International Corp. That incident is the largest reported, based on the number of individuals affected, since the HIPAA breach notification rule took effect September 2009. The Nemours incident ranks as the fourth largest breach.
Nemours reports the backup tapes were stored in a locked cabinet, and the cabinet and tapes were reported missing Sept. 8. They are believed to have been removed on or about Aug. 10 during a facility remodeling project, Nemours said in a statement on its website.
The tapes had been stored since a computer systems conversion completed in 2004. Information on the tapes, mainly from 1994 to 2004, includes details on patients and their guarantors, vendors and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida, Nemours said.
"There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused," according to Nemours' statement. "Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes."
Nevertheless, Nemours reported it's taking steps to strengthen its data security practices, including "moving toward encryption of all computer backup tapes and moving non-essential computer backup tapes to a secure off-site storage facility."
Under the HIPAA breach notification rule, mandated under the HITECH Act, breaches of information that's been properly encrypted using a national standard do not have to be reported.