Braving the Public

By Kim S. Nash Print this article Print

Providence Health & Services lost information on 365,000 patients—after 10 backup tapes and disks were stolen from the back of an employee's minivan. Now, 12 months and $7 million later, the health-care provider remains mired in the aftermath. Here's

Braving the Public

When Shields reported the theft, he said the disks and tapes were "highly encrypted" and that "it would be almost impossible to retrieve the data," according to the sheriff's report.

But the disks and tapes were not encrypted, as O'Brien and other Providence officials later learned, and even though the data on the tapes was stored in an old, hard-to-read format, it was not impossible to retrieve. O'Brien says it would require a "very sophisticated" thief with "a lot of money and a lot of time." Still, she had to assume the worst case. So, Providence

had to figure out what data was missing and how it was going to respond.

That took three weeks. "We didn't sleep," she says.

O'Brien's information-technology shop had to make copies of the tapes and disks to try to replicate the stolen backups, which held data from 12 databases and systems in various formats. The I.T. team didn't have equipment old enough to decipher them, however. So, they hired NTI Data Forensics to crack the tapes and see if anybody could read the data. That company had to hunt on eBay for a tape drive old enough to read the replicas.

About 10 days later, O'Brien's staff was able to start analyzing which pieces of information were on the tapes, how it was laid out (names and addresses, for example, were not joined, but separated in different segments), and whether information was duplicated. If people's names showed up nine times, Providence didn't want to send them nine letters telling them their data was compromised.

Kroll contracted with its sister company, Marsh, to set up call centers and train workers, including temporary employees, to talk to patients as they called in. Different information was missing for different patients, so the staff built software that allowed call center workers to look into its systems and, without touching the data, tell each patient exactly what was gone.

The breach would have been easier to handle if Home and Community Services had followed policies on retaining data. That, O'Brien adds, is another lesson learned—destroy data when it's no longer needed. "There's data [on minors] we're legally required to keep for 17 years, but we were holding data for longer than that," she says. The systems in Home and Community Services were so old, she adds, that they didn't stop archiving information after it reached a certain age.

After the theft, Providence rushed to move servers as fast as possible from Home and Community Services into the regional data center, secure storage for its data, and design information safety training for all employees—which includes cards attached to their ID badges in case they forget what they're supposed to do, according to O'Brien.

Spokesman Walker says he combed the Web for sites created by other companies that had suffered data breaches—Marriott Vacation Club, for one—to use as a guide for the Web site Providence was putting up (in English, Spanish, Russian and Vietnamese) and for the letters it was writing to patients. "There's no playbook here," he says.

Like other breached companies, Providence claimed in its notification letters and in subsequent public relations efforts that there's no indication the lost data has been used to steal anyone's identity. But such claims "involve a certain amount of guesswork," says Jason Paroff, a director of computer forensics at Kroll.

For example, if a laptop is returned, one simple tool is to check the "last accessed" dates in the meta-data recorded about each file. A knowledgeable data thief, however, can make a forensic image of a stolen hard drive, like a detective or FBI agent investigating computer crime. "If you do it right, you wouldn't leave any trail," Paroff says. Even if the computer were returned, "The person with the laptop after that wouldn't actually know anyone had copied the entire drive." Paroff is not working on the Providence case.

If the machine is still missing, a company can do little else but watch internal systems for signs of hacking and wait for reports of customers' identities being stolen. "No indication of access," he says, "just means they haven't seen it."

On Jan. 25, more than three weeks after the theft, Providence began sending notification letters to patients, advising them to call one of the three credit bureaus and put fraud alerts on their files. It also notified state and federal regulators.

"We are truly sorry for this situation, and recognize the concern and inconvenience this situation is causing you," the letter said in boldface type. "Providence is also preparing some special resources to help you."

The call center was slammed with calls—nearly 2,000 on the first day. Calls would spike after any new information about the theft, such as a television newscast. Patients were upset; they didn't understand how to work with the credit bureaus, and they were calling different departments in Providence demanding that their Social Security numbers be removed from the company's databases.

O'Brien took charge of that task, according to court papers, appointing leaders in each region to find ways to eliminate or reduce the internal use of Social Security numbers. "This is the first step on a journey," said a presentation from O'Brien that is part of the court record. "Provide de-identified examples of harm caused to patients and employees at PHS from inappropriate use of Social Security numbers (tell the story, create the shared need)."

Attorney General Myers' office began investigating whether Providence had violated Oregon's Unlawful Trade Practices Act, which forbids businesses, including health-care organizations, from misrepresenting their products and services. (Providence's code of conduct, published on its Web site, says, "We treat patient information with special care ... We protect and maintain patient, business, and employee information in accordance with Providence policy and applicable law….")

Scam artists got wind of the theft and started dialing people, pretending they were from Providence and looking for patients to get them to "verify" the data that was stolen, Providence warned in a press release. Complaints of identity theft began trickling in to the call center, along with the thousands of calls from people simply worried or confused about the breach.

Although no cases of identity theft have been attributed to Providence, a thief connected to "a large ring of sophisticated criminals" was found using a patient's wife's ID after $8,000 in fraudulent charges had appeared on the patient's credit card, according to court papers. The thief was arrested on Feb. 1 while trying to pass a bad check. Police found a stash of Social Security numbers, records from the Oregon Department of Motor Vehicles and newly printed fake Wells Fargo bank checks in his home. The detective on the case didn't think the information came from Providence, but the wife told the call center she knew of no other breach.

By Feb. 2, 10,000 patients had called Providence. So many patients were having trouble with the credit bureaus that Providence hired Kroll to monitor and restore their credit, which meant more training of call center workers and another round of letters.

First, however, Kroll made Providence clean up its data. About 120,000 of the letters Providence sent came back as undeliverable, according to court papers. Kroll told O'Brien's technology staff to run the stolen data through the National Change of Address database to get current addresses, as well as a commercial database to see how many patients the Social Security

Administration had recorded as dead. Ultimately, Providence gave Kroll a list of 383,418 people—18,418 more than Providence thought were breached, although Kroll says some folks were reclassified and counted twice.

The list was further broken down to identify patients who were children, patients who had died (along with their living relatives), and guarantors—friends or relatives who had agreed to pay patients' bills. To everybody with an address—of which Kroll had 260,163—Kroll sent membership packets so they could sign up for credit monitoring and restoration services if they wanted. For the 123,255 people who were still missing addresses, Kroll kept their names on file in case they heard about the theft and called. By March 31, 19,192 people had requested credit monitoring, according to court papers, and Kroll had referred three cases of possible identity theft to Providence.

One former patient, Rob Holmes, quickly put up a Web site, www.providenceidentitytheft.com, to help fellow victims of the data breach get "spin-free" information about it, he says, by telling his own tale and creating a chat forum for others.

In an interview, Holmes says that Providence's call center could not tell him which of his data had been revealed. Fill out a form, he says he was told, and we'll review your request. About three weeks later, Holmes got a printout showing what parts of his file were likely to have been breached. It was derived, a Providence letter explained, from the first backups made after the theft. His name, address, Social Security number and insurance number were there, along with the phone number and address of his mother, whom he listed as an emergency contact. Also included were three diagnostic codes pertaining to his sleep apnea condition and a list of equipment, such as masks and cushions, he had received from Home and Community Services from 2001 to early 2005.

Holmes was so mad that he filed a formal complaint with the U.S. Department of Health and Human Services, which asked him to sign a form consenting to let the government investigate. "I haven't heard from them since," he says. Health and Human Services says it can't discuss a patient's private information or the particulars of individual complaints. The Federal Trade Commission also received a complaint from someone about the Providence breach and has other records on the breach that it won't discuss, it says, because they are part of "a law enforcement investigation."

At Providence, O'Brien found the bad publicity tough to handle, because she doesn't know what else the company could have done. "People thought we were sitting on it for three weeks, I guess, twiddling our thumbs. But everybody was really busy 7 by 24 trying to do the right thing" to have a solution in place before going public with the theft.

The question for the court is whether Providence did enough.

Next page: In the Aftermath

This article was originally published on 2006-12-06
Senior Writer
Kim has covered the business of technology for 14 years, doing investigative work and writing about legal issues in the industry, including Microsoft Corp.'s antitrust trial. She has won numerous awards and has a B.S. degree in journalism from Boston University.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.