Personal identifying information of 2.2 million people who have been patients of the University of Utah Hospitals and Clinics or their guarantors over the past 16 years was stolen last week. But police and health officials are giving the thief a unique opportunity to return it without consequence.
The U. is offering a $1,000 cash reward, "no questions asked," for return of the data.
Law enforcement believes the thief did not know what was in the gray metal box when he broke a car window and took it, said Salt Lake County Sheriff Jim Winder. If they have to track down the individual and the stolen material some other way, the penalties could be harsh, he added.
The records are in a form that is not easily accessible. A special computer application must be used to do so.
If, as law enforcement suspects, the thief is some kid "who engaged in a very stupid endeavor," then turning the metal box in with contents intact "is a way to solve the problem," said Tim Fuhrman, special agent in charge for the FBI.
The tapes containing a backup of the master patient billing record had been picked up by courier using a personal vehicle late in the afternoon on June 1, as part of a weekly transfer to storage. The backup is kept at a separate location in case of a disaster, such as fire or earthquake.
But instead of taking the tapes to Perpetual Storage Inc.'s facility in Little Cottonwood Canyon -- a secure vault under 200 feet of solid granite -- the 18-year veteran of the company took them home and left them in the car, parked overnight near 5200 South and 5000 West in Kearns. Sometime between 1:30 and 6:30 a.m., the car window was smashed and the box taken.
The Salt Lake County Sheriff's Office and the FBI are working together on the case, but the focus has now shifted to the university's efforts to notify patients so they can protect themselves.
Winder said the burglary was initially investigated as a simple car break-in until U. officials notified them of what, precisely, was contained on the data tapes. Among other things, the tapes held names, related demographic information and diagnostic codes, but no credit card information. It contained the Social Security numbers of 1.3 million patients and guarantors.
At that point, officers "re-responded" and the vehicle was processed for fingerprints. Deputies twice searched the neighborhood, hoping the thief believed the stolen item was a cashbox and discarded it when there was no money inside.
For three days, he said, the courier was investigated, but police are convinced that individual made a simple, but career-ending mistake. The box and a small bag containing some personal items were the only things taken from the vehicle -- the only burglary reported in that area in that 48-hour period, Winder said.
The incident is "a high priority" for an identity theft task force, which involves a dozen law enforcement agencies, Fuhrman said.
"We have had great success in our investigations," Fuhrman said. "There are steps we have taken that I can't get into publicly."
Hospital officials pointed out that when data has been stolen from other hospitals, there has been not one clear case of identity theft as a result. Fuhrman thinks identity theft in this case is unlikely. "People steal IDs for different reasons. This isn't the way people normally go about it."
Now police are asking the public to keep an eye out for the data.
During a news conference Tuesday on the theft, U. Hospital officials outlined steps the public, whose records may have been compromised, can take.
The U. is in the process of mailing out letters to all 2.2 million people, although officials believe it "was probably a random car burglary and it's unlikely the information was compromised," said Lorris Betz, U. senior vice president for Health Sciences. For the 1.3 million whose Social Security numbers were in the records, they're offering a year's free credit monitoring through Experian. And they've set up a toll-free information line and a Web site to help people.
What the U. will not do, Betz emphasized, is ask people by phone or e-mail for sensitive personal information in connection with the theft. It's fairly typical after some kind of crisis, for someone to scam people by pretending to be part of the solution to the problem. "We would advise you not to release information" that might be used for fraud or identity theft, Betz said, unless you initiate the transaction.
All transport of patient information has also been halted in the wake of the theft, Betz said. Perpetual Storage vice president James Nowa said his company is ramping up security efforts following the breach -- the company's only theft in 40 years, he said.
Anyone with information on the tapes can contact the Salt Lake County Sheriff's Office at 743-7000.