AOH :: ISN-3227.HTM

'Scrubbed' laptop had data on 6,000 Utahns

'Scrubbed' laptop had data on 6,000 Utahns
'Scrubbed' laptop had data on 6,000 Utahns,1249,650203974,00.html 

By Lois M. Collins
Deseret Morning News
November 3, 2006
More than 6,000 people who worked for Intermountain Healthcare's central 
urban region in 1999 have learned that a file listing their Social 
Security numbers was briefly for sale for $20.
The good news, according to Intermountain, is the man who unknowingly 
bought the data didn't compromise anyone. And steps have been taken to 
see it never happens again.
What happened when an old laptop from Intermountain's human-resources 
department was donated to Deseret Industries recently is a cautionary 
tale for employers who think they've scrubbed important information off 
discarded hard drives and those who still use Social Security numbers to 
identify employees.
The laptop contained information on hospital employees working at LDS, 
Cottonwood, and Alta View hospitals and the Orthopedic Speciality 
Hospital in 1999-2000, said Intermountain spokesman Jess Gomez whose own 
Social Security number was contained in the data file. The file listed 
names, Social Security numbers, telephone numbers, job title and an 
evaluation term to describe the type of employee. No patient information 
was on the laptop.

The laptop had actually been "scrubbed" before it was donated, said 
Gomez, but for unknown reasons, the one file survived. When a man bought 
the laptop and started examining it, he found the file and took it to 
KUTV, which notified Intermountain.
"At that point, the hard drive wasn't functioning, but when our techs 
put it in another computer, they could pull up the file, and yes, it 
contained that information," Gomez said.
Last week, 27,000 active employees and 3,400 former employees were 
notified. Intermountain said it would pay for credit monitoring for 
anyone who was worried, human-resource director Nancy Adams said. 
Intermountain also set up a dedicated hotline for anyone with concerns 
about what was being done to protect them. Adams said they've had 79 
Intermountain Healthcare stopped using Social Security numbers to 
identify employees two or three years ago, assigning each employee a 
randomly selected identification number, Adams said.
As a result of this incident, Intermountain no longer "scrubs" hard 
drives when computers are no longer to be used. The company has a 
contract with Dell to physically demolish the hard drives, she said.
"As someone who was on that list, I feel good that all the steps were 
taken to protect us," Gomez said. "We work hard to make sure patients 
and employees are as safe and protected as possible. The process in 
place was followed. The software program simply missed the one file. And 
thanks to the gentleman that purchased the laptop, we're certain no 
information was compromised."

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods