Security

Utah offers $1,000 reward for 2.2 million missing billing records

Leave a comment

My math skills must be waning. If I read this article correctly, the University of Utah Hospitals & Clinics is offering $1 for every 2200 billing records that were lost by Perpetual Storage Inc.:

A metal box containing the backup tapes, which contained billing records for approximately 2.2 million patients and guarantors, was stolen on Monday, June 2, from a car belonging to a driver who worked for an independent storage company contracted by the health-care system. The driver violated the protocols his company had established to ensure secure data transportation.

[…]

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked.

The numbers just do not make sense to me. Another report explains that 1.3 million Social Security numbers were on those tapes.

Here is the recap of how the driver violated his protocol:

The courier picked up the records on June 1. Instead of taking them to a storage center, he worked a second job and then went home, said Shane Manwaring, Salt Lake County deputy sheriff.

The next day, he discovered that someone had broken into his vehicle outside his Kearns home and taken the box, Manwaring said.

The key question, no pun intended, is why the trip was able to include this insecure detour. The obvious answer seems to be that the employee was in need of a second job, in need of a stop at home, and that the storage company had no way of detecting that the box was overdue for “direct route” delivery to a safe spot. The three things could be easily fixed, and I consider them a failure of security management, rather than solely the fault of an operator who made a predictable error. With only only $1,000 offered as a reward I have to wonder how serious anyone would be about security when they transport tapes.

Finally, assuming the tapes are returned, they were still stolen and potentially copied.

Incidentally, no pun intended again, Kearns Utah seems to be a dangerous neighborhood. The Salt Lake Tribune reported a man was shot with his own gun while trying to fight off a “high-dollar merchandise” burglar in his home on May 10th, 2008.

Updated to add (June 12, 2008): Vincent Arnold has been kind enough to post Symantec’s chart of the value of compromised information.

It does not take a rocket scientist to read this and see that a person with tape data from Utah University could be looking at a minimum of $1 per identity, and upwards of $1000 per identity for bank accounts. Compare that to the $1000 total offer for the return of the tape to its owners…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.