Billing records for approximately 2.2 million patients and guarantors were reported stolen this week from the University of Utah Hospitals & Clinics.
Officials said they are now assessing the network's information systems and safeguarding patient records.
Backup tapes of patient billing records, which were contained in a metal box, were stolen from a car belonging to an independent storage company, Perpetual Storage, Inc., which is contracted by the healthcare system. The system sends the backup tapes off-site for storage for disaster recovery purposes.
The billing records included patient names, related demographic information and diagnostic codes for those treated at University of Utah Hospitals & Clinics' facilities or by one of its providers during the past 16 years.
Hospital officials said none of the records contained credit card information. However, records for a subset of 1.3 million patients contained Social Security numbers.
Hospital officials said other types of information possibly included on the tapes are date of birth, physician name, insurance, driver's license number and, in rare instances, clinical notes corroborating diagnoses for billing purposes.
Hospital officials have reportedly consulted with an information technology security firm and concluded that it is possible to access the data, but only by using professional equipment.
The Salt Lake County Sheriff's Department, the FBI and the U.S. Postal Service are investigating the theft.
"The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft," said Salt Lake County Sheriff Jim Winder.
Perpetual Storage representatives say the driver working for them violated the protocols the company had established to ensure secure data transportation.
Company officials say this is the only such incident in its 40-year history. They also said the employee who left the tapes in his car had been with the company for nearly 18 years.
"Although it is unlikely that information on the tapes will be compromised, we are nevertheless taking aggressive steps to protect our patients' confidentiality," said Lorris Betz, MD, senior vice president for Health Sciences.
The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending review of all procedures and protocols for transporting and storing backup data, and all patient data is being stored at a secure site.
The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked.
Tell me what you think about this latest breach in patient privacy. E-mail Associate Editor Molly Merrill at molly.merrill@medtechpublishing.com.