Johns Hopkins University has notified the U.S. Dept. of Health & Human Services of a breach involving 692 of its Applied Physics Laboratory employees’ dependents. Because HHS’s breach logs don’t provide a lot of detail, I contacted JHU for additional information on the incident. As I have come to expect from them, they promptly responded with full disclosure. In a statement from a JHU spokesperson, they described the breach as an an inadvertent release of staff dependents’ personal information to staff within the Applied Physics Laboratory:
In mid-June, approximately 85 staff members received an e-mail from the Lab’s benefits office with an incorrect attachment that included names, Social Security numbers, birthdates and other information on 692 dependents of APL staff members. Once the error was identified in early July, APL moved quickly to notify the parents of the listed dependents, and deleted the e-mail from staff e-mail boxes and Lab mail servers. The Lab also asked each recipient of the information to verify that they had disposed of the e-mail and attachment without printing or saving its contents and no longer had access to the information.
APL is not aware of any misuse of the information or harm resulting from this event. The Lab immediately provided proactive, comprehensive identity-theft protection for the affected dependents, and has taken several administrative steps to prevent such a release from occurring again.
JHU also provided this site with the text of the letter sent to those affected by the Johns Hopkins Institutions office that handles privacy-related actions:
October 7, 2010
Re: Compromise of Your Personal InformationWe are writing to inform you in a formal way of an event about which you already should be aware based on an e-mail sent to your Johns Hopkins University Applied Physics Laboratory-employed parent on July 7, 2010. Specifically, on July 2, 2010, the APL Staff Benefits Office became aware of the inadvertent release of personal information regarding certain dependents of APL employees enrolled in its medical and/or dental plan.
On June 15, 2010, batch e-mails were sent by the Staff Benefits Office to staff members with dependents over age 19 regarding continuing eligibility for benefits based on full-time student enrollment status. One batch of approximately 85 staff members received an incorrect attachment that included a listing of all staff with such dependents, as well as personal information about those dependents. The personal information included your parent’s name, your name, your Social Security number, your date of birth, your marital and disability status, and whether you are covered by medical and/or dental coverage.
Once the error was identified, APL’s IT department permanently deleted the e-mail from the 85 staff members’ e-mail boxes and subsequently deleted the e-mails from the APL server. The Staff Benefits Office reached out to all recipients of the e-mail to inquire whether the e-mail attachment had been opened, and requested written verification that they had made no electronic or printed copy of, and had no remaining access to, the attachment. All such verifications were received from those APL staff members.
APL also arranged to provide, at its expense, credit monitoring through Trusted ID for one year to protect your credit from possible identity theft. If you, or your parents on your behalf, have not yet enrolled you in that credit monitoring service, we encourage you to do so. In addition, enclosed is a set of Recommended Steps that outlines additional measures you can take to protect your information if you feel it is appropriate to do so.
In order to help assure that such an event does not occur again, the APL Staff Benefits Office has taken the following actions:
- Changed document naming methodology to differentiate between documents to avoid attaching incorrect documents.
- Required all data extracts from its database that includes sensitive data to be encrypted or password protected.
- All Staff Benefits Office staff will be trained in the proper methods of encryption.
- Required that all e-mails sent by the Staff Benefits Office to 5 or more staff members that include any attachment to be reviewed by another team member to ensure the proper document is attached.
- Will explore future capability of automated flagging of any electronic communications sent by Staff Benefits Office team members containing potentially sensitive data such as 9-digit numbers.
We sincerely regret this event and any concern that this matter may cause you. If you have any questions, you may call me at the number identified above.
Breaches are inevitable because of human error. I am consistently impressed with how Johns Hopkins responds when they do have a breach and wish more entities followed their lead in terms of writing clearly and forthrightly to people. Kudos, folks.
Cross-posted from PHIprivacy.net