![dataloss logo](/images/dataloss-logo.png)
BreachExchange mailing list archives
Johns Hopkins Breach Notification Letter
From: security curmudgeon <jericho () attrition org>
Date: Wed, 21 Feb 2007 21:34:07 -0500 (EST)
This is the letter sent out to Johns Hopkins employees about the recent breach. For more information: http://attrition.org/dataloss/2007/02/jhh01.html. Typos are my own and _ indicates underlined text. I personally think this letter is well written, providing details on the nature of the incident, the information potentially lost and what to do in response. -- Office of the President 242 Garland Hall 3400 N. Charles Street Baltimore, MD 21218-2691 February 6, 2007 [Name] [Address] Dear [Name]: We learned recently that nine backup computer tapes sent out late in December for conversion to microfiche were not returned to Johns Hopkins. Eight of the nine were payroll tapes containing sensitive, personal information about present and past university employees, _including you_. The ninth tape contained personal, though less sensitive, demographic information on some Johns Hopkins Hospital patients. The university tapes included names, Social Security numbers and, for exmployees paid by direct deposit, bank account information. There was also information on birth dates, salary, deductions and retirement plan contributions. First, I apologize to you on behalf of the universit's entire senior leadership. _We do not believe the tapes were stolen or that the information on them has been misused. In fact, the best evidence is that they were inadvertently destroyed_. We have no evidence whatsoever of identity theft arising from this incident. Nevertheless, the loss of tapes containing your personal information is, obviously, a situation of significant concern. An intensive investigation by both Johns Hopkins and the contractor to whom they were sent has determined that the tapes never reached the contractor. We believe that they were mistakenly left at an intermediate stop by a courier hired by the contractor. We believe it is highly likely that they were thought to be trash, collected and incinerated. WHAT YOU SHOULD DO Although the best evidence is that the tapes have been destroyed, you may feel it prudent to take precautions. Detailed suggests are available at http://www.jhu.edu/identityalert. To summarize information available on that Web site: You may request free copies of your credit reports. You also may place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts. To obtain a free annual credit report, go to http://www.annualcreditreport.com or call 877-322-8228. You may wish to stagger your requests so that you receive a free report from of the three credit bureaus every four months. To place a fraud alert on your account, call any one of these three major credit bureaus or visit the Experian Web site: Experian: 888-397-3742 or http://www.experian.com Equifax: 800-525-6285 TransUnionCorp: 800-680-7289 The process is easy and takes just minutes to complete. If you decide to place a fraud alert with any one of the three bureaus, it will notify the others to place alerts on their records as well. Johns Hopkins has notified the three credit bureaus about this situation; they are aware that Johns Hopkins employees may be calling. There is information on the Web site at http://www.jhu.edu/identityalert on what you should do if ever you detect any signs of fraud or other problems in your credit report. Again, please consult that Web site for more detailed information on this incident. If you do not have access to the Web, we have set up a telephone number for your use. Call 800-981-7524. Please know that people falsely identifying themselves as Johns Hopkins representatives could contact you and offer "assistance." Johns Hopkins will not contact you by phone, mail, e-mail or any other method concerning this incident to ask you for personal information. I urge you not to release personal information in response to contacts of this nature. The university apologizes to you for this very unfortunate occurence. I am sure you are concerned. Like you, Johns Hopkins takes this matter very seriously. We will review our processes and procedures and do everything we can to prevent a recurrence. We will post any important new information to the Web site. Sincerely, William R. Brody _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 149 million compromised records in 580 incidents over 7 years.
Current thread:
- Johns Hopkins Breach Notification Letter security curmudgeon (Feb 21)