Confidential records missing at MHI in Independence

[Erica Absetz <erica () riskbasedsecurity com>]

http://wcfcourier.com/news/local/govt-and-politics/confidential-records-missing-at-mhi-in-independence/article_efe73f7e-de6b-11e2-81bc-001a4bcf887a.html

DES MOINES --- Iowa Department of Human Services officials issued an
alert Wednesday to former patients at the Mental Health Institute in
Independence and hundreds of state employees there and at other state
facilities concerning a possible breach of their confidential
information.

Officials say the information was stored on a backup computer tape
that went missing April 30 cannot be located. A search for the tape
continues at the Independence facility, DHS spokesman Roger Munns said
in a news release, and officials believe it is likely that the tape
was inadvertently destroyed or discarded. Access to information on the
tape requires specialized and outdated equipment.

"The chance that your information was improperly accessed is small,
but we realize that you may want to take steps to be sure that your
information is not used by another person," said Bhasker Dave,
superintendent of the Independence facility that is administered by
the state Department of Human Services.

In letters mailed Wednesday, DHS officials explained what happened and
offered to pay for one-year enrollment in a credit monitoring service
for anyone who fears that the possible breach could lead to a stolen
identity, according to the department news release.

Officials said the tape does not contain any bank or credit card
information, but it does include Social Security numbers and addresses
for about 700 employees of several facilities managed by the DHS.

The tape also includes Social Security numbers and other information
regarding about 7,300 former patients at the Independence facility,
according to the DHS statement. A few records date back to the late
1980s but most refer to more recent patients. The tape does not
include records of patients who were admitted after June 2010.

The computer system is no longer used for patient records or employee
information, according to the DHS statement. The historical data had
not been purged from the computer system and continued to be backed up
on a monthly basis, Dave said. He noted that the computer system
requires the use of specialized equipment that is no longer serviced
by the manufacturer, and that the backup system has been changed to
eliminate the unnecessary retention of personally identifiable
information.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.