The University of Utah Hospitals & Clinics are getting ready to inform approximately 2.2 million patients and guarantors that their information may be compromised, although they’d find it highly unlikely.  According to businesswire.com, a company hired by the University of Utah lost a shipment of tapes with backups of billing records.  The tapes allegedly had the Social Security numbers for any of the 1.3 million people who had received treatment at the university over the past 16 years.  There is no mention of whether data security solutions like file encryption were used to protect the data.

The company that lost the tapes is Perpetual Storage, Inc. and, according to the article, this is the first time something like this has happened in its 40‑year history.  The employee who was transporting the tapes had left them in his car.  This was a violation of company protocols, which were designed to secure data during transportation, and led to the employee’s dismissal.  The employee in question had logged 18 years with the company.

The first incident in 40 years.  That certainly is an enviable record.  Assuming that at least one trip was made every day (a conservative estimate, I’d assume), it would imply a failure rate of 0.00685%.  So, how was this enviable record shattered?  Well, the protocol that was broken—which as a very good one—was you pick up the tapes and take them to the storage facility: a structure built into a granite mountain and supervised by armed guards.  The employee, however, took the tapes home and left them in the car. I think you can guess what happened afterwards.

So, what’s the moral of the story?  The moral is that there is no such thing as absolute security.  Even when the best systems are designed—be they digital or otherwise—to be as ironclad as possible, there is always a weak link.  In the above case, it was the employee’s behavior. (It usually is when it comes to weak links concerning security.)

The University of Utah has decided to suspend using Perpetual Storage.  The U of U is citing the need to review the contractor’s procedures and protocols.

If this is truly Perpetual’s first incident in 40 years—and there is no reason to doubt it—I’d imagine that Perpetual won’t lose the university as a client.  Let’s face it, one incident in 40 years is unheard of.  If anything, it’s a testament to how good their practices have been up to now.

What the university should be considering and reviewing, it seems to me, is whether they should use some kind of file encryption solution.  I don’t know what kind of security measures the University of Utah has, but tapes, computers, external drives, and other digital media storage devices get lost and stolen all the time.  Especially in settings such as hospitals with open environments.  There is no guarantee that the box of tapes wouldn’t have been stolen at the hospital, prior to the courier arriving to pick them up.

It’s true that the university is not at fault here.  But let’s face it, they’re in a better position to employ data encryption services like AlertBoot.  I mean, a courier and storage company can’t force their clients to use data encryption.  Plus, it only makes sense to protect such sensitive data as best as possible.  And, encryption does not cost much, especially when compared to what is entailed when a data breach does happen (mailing one-million-plus letters, for example, cannot be cheap, by any measure...).

The irony of the entire situation?  “Something that took a lifetime to create can be destroyed in only minutes. Your company cannot afford to take chances with the security of its vital records.” A direct quote from the Perpetual Storage, Inc. website.

Update (June 12, 2008): According to The Daily Utah Chronicle, the backup tapes were encrypted.  I like a happy ending.  Why the public notification, though?  Utah is a state where the loss of encrypted data does not require public notification.