Billing records for about 2.2 million U Hospital and Clinics patients and guarantors were stolen from a company working for the U on June 2.
A metal box containing backup tapes was stolen from a car that belongs to an employee of an independent moving company Perpetual Storage Inc. The encrypted tapes contain information on patients who were seen by a provider connected with the hospitals within the past 16 years.
The U Hospital and Clinics hired the company to move its records to an off-site vault to secure them from disasters such as fire or earthquakes.
According to company protocol, the employee was supposed to use a company van to move the records and take them directly to the vault. Instead, the employee used his own car to pick up the records from the hospital and drove home.
The records were stolen near 5200 South 50 West when the employee left the box in his car overnight. The employee called police when he realized the car had been broken into. A small bag containing personal items was also stolen from the vehicle.
The theft was most likely a random car burglary because the box looks like one used to store cash, said Salt Lake County Sheriff James Winder.
When the police were told what was in the box, they contacted the FBI because the information could be used to commit identity theft, especially because it contained 1.3 million Social Security numbers.
“I can’t think of any incident in my experience with a comparable potential impact (for identity theft) here in the Salt Lake area,” Winder said.
However, he said there is no evidence yet that any of the information has been used for identify theft.
FBI Agent Tim Fuhrman said that a previous theft similar to this did not result in any reported identity theft. A laptop was stolen from a Veterans Administration employee in Washington, D.C. that contained 20 million veteran records, and when the laptop was recovered several weeks later, it was determined that none of the information had been compromised.
Letters were sent out to the patients and guarantors informing them of the situation and the steps they can take to protect themselves from identify theft. A press conference was heldTuesday at the Officer’s Club on campus Tuesday to explain the situation and advise those involved what they can do to prevent identity theft.
According to information from the Office of Public Affairs for University Health Care and U Health Sciences, possible victims can place a fraud alert on their personal credit file to ensure they will be contacted before any new charges are made to their existing accounts. The letters sent out to those whose Social Security number was jeopardized contained access codes that allows them to receive one year of free credit monitoring.
All delivery services with Perpetual Storage Inc. have been suspended while U Hospitals and Clinics reviews all protocols and procedures for transporting and storing back-up data. The employee involved has also been terminated. He had worked with the company for 19 years.