Johns Hopkins began notifying thousands of university employees and hospital patients yesterday that backup computer tapes containing personal information about them - some of it sensitive - have been missing for seven weeks.
Hopkins officials said they believe the data, which did not include patient medical information, wasn't compromised.
Still, two regulatory agencies that oversee hospitals are discussing whether to investigate Hopkins' security practices amid concerns of identity theft.
Eight university computer tapes, routinely sent to a contractor that makes microfiche archives of the data, held Social Security numbers, addresses and direct-deposit bank account information for 52,567 former and current employees.
A separate tape from the hospital had names, dates of birth, sex, race and medical record numbers for 83,000 new hospital patients seen between July 4 and Dec. 18, 2006, or those who updated their information during that period.
Hopkins officials said an "intensive investigation" by their staff as well as that of the contractor, Anacomp Inc., suggests that the tapes were likely misplaced by a courier, collected as trash and incinerated.
"Our best information is that the tapes have been destroyed. Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorized hands," Hopkins University President William R. Brody said in a statement, apologizing for the incident.
"We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again," he said.
The hospital's relationship with Anacomp, based in San Diego, is also under review, and data shipments have been suspended.
According to Anacomp's Web site, "thousands of businesses and organizations worldwide" as well as the "majority of the Fortune 500" use its services to manage their documents and information technology equipment.
The company declined to comment beyond a statement reiterating Hopkins' findings.
"At no time do we believe the information on the tapes was accessed and we are virtually certain that the tapes were destroyed," Anacomp's statement read.
The news is reminiscent of other recent high-profile data losses, including last year's Veterans Affairs incident, in which the Social Security numbers of 26.5 million people were compromised in the burglary of an employee laptop.
Last summer, compact discs containing Social Security numbers and other personal data for patients at 12 Illinois and Indiana hospitals were missing for three days.
And a congressional report released in October said federal workers at 19 agencies have lost personal information affecting thousands.
Such events have led Maryland lawmakers to craft legislation this year that would allow residents to block access to their credit reports.
At Hopkins yesterday, employees said they understand that mistakes happen, but they expressed concern over why it took so long for the situation to come to light.
"I have no idea why they waited weeks to tell us that our private records have been violated," said Melody Higgins, a Hopkins nurse specializing in AIDS clinical trials. She got an e-mail yesterday morning alerting her to the situation.
"I mean, we could have put the fraud alert on our credit reports weeks ago," Higgins said. "I really don't understand what they were thinking waiting so long."
In a fact sheet distributed to employees, Hopkins officials addressed the question of why the loss wasn't reported sooner. The sheet noted the complexity of having both hospital and university data missing, as well as the time it took to identify affected parties and prepare contact data.
"Johns Hopkins began an aggressive investigation upon learning that some tapes were not returned," the sheet reads. "It has taken time for all the facts to become clear."
A spokeswoman emphasized those points in a telephone interview yesterday.
"If we didn't [take the time to gather the information], then we would have been misinforming people or not informing them to the extent that they should be," said Hopkins spokeswoman Joann Rodgers.
Privacy laws in seven states with affected people - New York, Hawaii, Louisiana, Maine, New Hampshire, New Jersey and North Carolina - required that Hopkins inform them of the breach.
Also notified were several regulatory bodies.
The state Office of Health Care Quality within the Department of Health and Mental Hygiene, which regulates hospitals and protects consumers, said it was seeking more preliminary information about the records before deciding whether to begin investigating the incident.
The agency has the power to launch, unannounced, an investigation, which could include searching files at Hopkins and interviewing employees and patients. Its powers range from writing deficiency reports to revoking licenses. More recently, it acquired the power to fine institutions for serious and uncorrected problems.