[Dataloss] Johns Hopkins Breach Notification Letter

security curmudgeon jericho at attrition.org
Wed Feb 21 21:34:07 EST 2007 

This is the letter sent out to Johns Hopkins employees about the recent 
breach. For more information: 
http://attrition.org/dataloss/2007/02/jhh01.html. Typos are my own and _ 
indicates underlined text. I personally think this letter is well written, 
providing details on the nature of the incident, the information 
potentially lost and what to do in response.

--

Office of the President
242 Garland Hall
3400 N. Charles Street
Baltimore, MD 21218-2691

February 6, 2007

[Name]
[Address]

Dear [Name]:

We learned recently that nine backup computer tapes sent out late in 
December for conversion to microfiche were not returned to Johns Hopkins.

Eight of the nine were payroll tapes containing sensitive, personal 
information about present and past university employees, _including you_. 
The ninth tape contained personal, though less sensitive, demographic 
information on some Johns Hopkins Hospital patients.

The university tapes included names, Social Security numbers and, for 
exmployees paid by direct deposit, bank account information. There was 
also information on birth dates, salary, deductions and retirement plan 
contributions.

First, I apologize to you on behalf of the universit's entire senior 
leadership. _We do not believe the tapes were stolen or that the 
information on them has been misused. In fact, the best evidence is that 
they were inadvertently destroyed_. We have no evidence whatsoever of 
identity theft arising from this incident. Nevertheless, the loss of tapes 
containing your personal information is, obviously, a situation of 
significant concern.

An intensive investigation by both Johns Hopkins and the contractor to 
whom they were sent has determined that the tapes never reached the 
contractor. We believe that they were mistakenly left at an intermediate 
stop by a courier hired by the contractor. We believe it is highly likely 
that they were thought to be trash, collected and incinerated.

WHAT YOU SHOULD DO
Although the best evidence is that the tapes have been destroyed, you may 
feel it prudent to take precautions. Detailed suggests are available at 
http://www.jhu.edu/identityalert.

To summarize information available on that Web site: You may request free 
copies of your credit reports. You also may place a fraud alert on your 
credit file. A fraud alert tells creditors to contact you before they open 
any new accounts.

To obtain a free annual credit report, go to 
http://www.annualcreditreport.com or call 877-322-8228. You may wish to 
stagger your requests so that you receive a free report from of the three 
credit bureaus every four months.

To place a fraud alert on your account, call any one of these three major 
credit bureaus or visit the Experian Web site:

Experian: 888-397-3742 or http://www.experian.com

Equifax: 800-525-6285

TransUnionCorp: 800-680-7289

The process is easy and takes just minutes to complete. If you decide to 
place a fraud alert with any one of the three bureaus, it will notify the 
others to place alerts on their records as well. Johns Hopkins has 
notified the three credit bureaus about this situation; they are aware 
that Johns Hopkins employees may be calling.

There is information on the Web site at http://www.jhu.edu/identityalert 
on what you should do if ever you detect any signs of fraud or other 
problems in your credit report.

Again, please consult that Web site for more detailed information on this 
incident. If you do not have access to the Web, we have set up a telephone 
number for your use. Call 800-981-7524.

Please know that people falsely identifying themselves as Johns Hopkins 
representatives could contact you and offer "assistance." Johns Hopkins 
will not contact you by phone, mail, e-mail or any other method concerning 
this incident to ask you for personal information. I urge you not to 
release personal information in response to contacts of this nature.

The university apologizes to you for this very unfortunate occurence. I am 
sure you are concerned. Like you, Johns Hopkins takes this matter very 
seriously. We will review our processes and procedures and do everything 
we can to prevent a recurrence. We will post any important new information 
to the Web site.

Sincerely,

William R. Brody

More information about the Dataloss mailing list