News

posted on 25 April 2008 07:34

Six University of Miami backup tapes being transported to an offsite disaster recovery facility were stolen in a vehicle break-in in March. In contrast to the stolen Boots tapes in the UK, these were encrypted.

The tapes, packaged inside a transport case, contained more than 2 million medical records relating to patients. They included names, addresses, Social Security numbers and health information on all patients at the university's medical facilities since Jan. 1, 1999. Financial data from approximately 47,000 people may be on the missing tapes. All potential victims have been contacted.

Although the University delayed telling patients and the public until this month, two aspects of its reaction were highly praiseworthy. Firstly, it stopped transporting tapes off-site.

Jacqueline Menendez, communications VP for the university, said: "At this point, we're not transporting anything until we conduct our own internal evaluation of the incident and see if there's anything that could have been done differently or better."

Secondly, the university engaged a Florida-based computer forensics company, Terremark Worldwide Inc., to see if it could extract identity theft data from similar tapes. The firm worked on the tapes for several days but could not extract any meaningful data. The information on the tapes was compressed and encrypted.

Christopher Day, SVP of Terremark' Secure Information Services group, said: "For more than a week my team devised a number of methods to extract readable data from the tapes. Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data.’’

Day said that even if the thief had a copy of the same software used to write the tapes: "it would require certain key data which is not stored on the tapes before the software would make the data readable.’’

The university asked Kroll Ontrack to review the testing. A senior managing director at Kroll, Alan Brill, said: “While the (Terremark) report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes. If the thief cannot cross all of those barriers simultaneously, they can’t access the data.’’

The local Coral Gables, Fla, police think that it was a random theft.

Menedez said: ""The university feels confident that the person who took (the tapes) doesn't know what they have. Even if they do know what's contained inside, it's very difficult to extract that information."

'Very difficult' seems to be an understatement; 'near impossible' would appear to be more accurate. Also, the contrast between the energetic University of Miami response to the theft and the relaxed complacency of the UK's Boots and its Dental Plan administrator Medisure is striking, particularly so given that their backup tapes were not even encrypted.