The University of Miami has chosen to notify 41,000 out of 2.1 million patients whose personal information was exposed when thieves stole backup tapes.
The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there’s no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.
There’s some analysis of how hard it would be to read the tapes. I’m skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?
The Breach Blog feels differently. In “University of Miami reports stolen tapes affecting patients,” he digs into the likelihood of the data being accessed.
Now, the University claims that the tapes are in a “complex and proprietary format,” which seems to be “Tivoli Storage Management” from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I’m curious why that wasn’t in use.
Also, looking around, I found this quote at an IBM partner site:
Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.
Until I hear more, I’m skeptical of the University’s claims. I don’t believe, and I have not believed for a long time, that breach notices are about identity theft. They’re about the performance of a promise to protect information.
(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)