BreachExchange mailing list archives

Re: Followup: Tapes stolen containing patient info of 47, 000

From: Adam Shostack <adam () homeport org>
Date: Sat, 26 Apr 2008 15:54:26 -0400

I've been doing some digging.  The "complex and proprietary format"
seems to be IBM's Tivoli Storage Manager, which comes with crypto
capabilities, and at least one IBM partner claims to be able to
reconstruct the data from their tapes.

Links & more:
http://www.emergentchaos.com/archives/2008/04/university_of_miami_good.html

Adam

On Sat, Apr 26, 2008 at 01:10:37PM -0500, Chris Walsh wrote:
| According to 
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9080322&taxonomyId=19&intsrc=kc_top
 
| , *financial* data for 47K is on the tapes, but  *** 2,000,000 ***  
| records were exposed.
| 
| Accorrding to a FAQ set up by the university (http://dataincident.miami.edu/faqs.htm 
| ):
| 
| "The University will be notifying by mail the approximately 47,000  
| patients whose data included credit card or other financial  
| information regarding bill payment."
| 
| I read this as saying that they could have lost everything about me  
| that is in my medical record, including my name, address, diseases and  
| treatments, prognosis, family medical history, and the like, but if  
| the file didn't also have information on how I paid them, I do not get  
| notified.  Some clarification would be useful.  I find it hard to  
| imagine that a large proportion of these records don't have a name,  
| DOB, and SSN, for example, but it isn't clear from what the University  
| has said whether they consider this "financial information regarding  
| bill payment".
| 
| 
| On Apr 17, 2008, at 1:31 PM, rchick wrote:
| >
| > April. 17, 2008
| > BY John Dorschner
| > http://www.miamiherald.com/news/breaking_dade/story/499492.html
| >
| > The confidential information of tens of thousands of University of  
| > Miami patients was stolen last month when thieves took a case out of  
| > a vehicle used by a private off-site storage company, UM said  
| > Thursday morning
| >
| > '' Anyone who has been a patient of a University of Miami physician  
| > or visited a UM facility since Jan. 1, 1999, is likely included on  
| > the tapes,'' the university said in a news release. ``The data  
| > included names, addresses, Social Security numbers or health  
| > information. The university will be notifying by mail the 47,000  
| > patients whose data may have included credit card or other financial  
| > information regarding bill payment.''
| 
| _______________________________________________
| Dataloss Mailing List (dataloss () attrition org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

Current thread:

Tapes stolen containing patient info of 47,000 rchick (Apr 17)
- Followup: Tapes stolen containing patient info of 47, 000 Chris Walsh (Apr 26)
  - Re: Followup: Tapes stolen containing patient info of 47, 000 Adam Shostack (Apr 26)