(Chattanooga Times (Free Press, TN) (KRT) Via Thomson Dialog NewsEdge) Sep. 24--Thousands of Erlanger employees' names and Social Security numbers stored electronically disappeared from a locked office last week, and hospital officials are notifying them in letters sent Friday.

"We did our own investigation of the incident," Erlanger spokeswoman Nancy White said Saturday. "We needed to determine who was affected and who was not affected. Within 24 hours of determining who they were, we got the letters out."

The letters, signed by Erlanger Chief Executive Officer Jim Brexler, were sent to about 4,150 current and former employees thought to be affected and about 2,500 current employees who were not affected. The names and accompanying personal information were stored on a USB device, also known as a "jump drive," according to the letters. USB is an acronym for "universal serial bus."

No patient information was included in the lost data. The database information was limited to names and Social Security numbers, the letters state.

In his letters, Mr. Brexler urged employees to protect themselves against identity theft by contacting credit bureaus.

Those who may be affected include Erlanger employees who were hired, transferred, promoted or terminated, as well as those who retired or resigned, between November 2003 and September 2006, the letter to them states.

That includes Mr. Brexler, who was hired in December 2003. The letters were sent to home addresses Friday.

"That's a little late. It would have been nice to know a little before," said Jackie Newman, an assistant nurse manager in Erlanger's Emergency Department. She said she didn't think she fell into the affected category but hadn't yet received a letter Saturday.

She said she had been the victim of identity theft before and had to go through the "tedious" process of flagging her Social Security number and monitoring her credit records.

She said she didn't feel the incident was malicious and it was unlikely to affect the hospital's mission of caring for patients.

"It hasn't shaken my faith in my employer," she said.

Erlanger officials said an employee who was authorized to use the information was working with the data in a secure area and noticed that the device was missing on Sept. 15. It remains unclear whether the information was merely lost or was stolen. Erlanger officials said there was no sign of a break-in at the office where the employee was working.

Ms. White said hospital policy prohibits identifying the person or saying whether the employee was disciplined.

Boston-based security expert Robert Siciliano, CEO of IDTheft-Security.com, said Erlanger should pay for credit monitoring for all of the people affected.

"They have a duty, because of their irresponsibility, to protect their employees," he said. "Unless you've been living in a cave in Afghanistan for the last three years, you should know you have a duty to protect that information."

Erlanger officials said Saturday they would do "whatever is necessary" to help employees protect their credit, including paying for credit reports or credit monitoring.

Mr. Siciliano said the data should have been password protected, encrypted and kept in a secure physical location.

Erlanger officials said Saturday they did not know whether the information was protected with a password or encryption.

Erlanger board Chairman Bob Johnson said he thought it was very likely that the storage device was thrown away accidentally.

"It should take care of itself," he said. "I don't think it was one of those situations where somebody was trying to steal identities."

Erlanger officials said the hospital had examined its security procedures in light of the incident.

"We are reviewing current procedure on handling of data storage devices to help ensure absolute security of information," Ms. White said Saturday.

California-based security consultant and identity theft expert Chris McGoey of CrimeDoctor.com said it is "ridiculous" that Erlanger employees' information was so vulnerable.

"This information shouldn't have just been left sitting around. That's like 'the dog ate my homework' excuse," he said.

He recommended that affected employees immediately order a credit report, then order another in 30, 60 and 90 days to monitor whether there have been any new applications for credit in their names.

He said for identity thieves to use Social Security numbers effectively, they typically must also get dates of birth, full names and current addresses. But the use of that kind of information isn't limited to credit applications, he said.

"The thing that would be of concern is not only opening credit, it is medical services, employee medical benefits. All kind of crazy things could happen," he said. "They could get arrested and could give it to police."

In May, veterans across the country went through a similar scare after a data analyst for the Department of Veterans Affairs was robbed of a laptop containing identifying information for 26.5 million veterans, reservists, active duty service members and Department of Defense employees. The laptop was recovered June 29. FBI investigators said they were confident that none of the information on the computer was compromised.

Last month, a subcontractor for the Department of Veterans Affairs reported losing a computer containing information for as many as 38,000 veterans who were treated at VA facilities in Pittsburgh and Philadelphia. That computer has not been recovered.

On Thursday, the U.S. Department of Commerce announced that since 2001, the U.S. Census Bureau had lost 1,138 laptops, including 249 with identifying information about U.S. citizens. However, according to a news release, "access passwords, complex database software, systemic safeguards and/or encryption technology significantly limit the potential for misuse of data on the laptops."

E-mail Emily Berry at eberry@timesfreepress.com

Copyright (c) 2006, Chattanooga Times/Free Press, Tenn.
Distributed by McClatchy-Tribune Business News.
For reprints, email tmsreprints@permissionsgroup.com, call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.

[ Back To TMCnet.com's Homepage ]

Discussions: