More than 6,000 people who worked for Intermountain Healthcare's central urban region in 1999 have learned that a file listing their Social Security numbers was briefly for sale for $20.
The good news, according to Intermountain, is the man who unknowingly bought the data didn't compromise anyone. And steps have been taken to see it never happens again.
What happened when an old laptop from Intermountain's human-resources department was donated to Deseret Industries recently is a cautionary tale for employers who think they've scrubbed important information off discarded hard drives and those who still use Social Security numbers to identify employees.
The laptop contained information on hospital employees working at LDS, Cottonwood, and Alta View hospitals and the Orthopedic Speciality Hospital in 1999-2000, said Intermountain spokesman Jess Gomez whose own Social Security number was contained in the data file. The file listed names, Social Security numbers, telephone numbers, job title and an evaluation term to describe the type of employee. No patient information was on the laptop.
The laptop had actually been "scrubbed" before it was donated, said Gomez, but for unknown reasons, the one file survived. When a man bought the laptop and started examining it, he found the file and took it to KUTV, which notified Intermountain.
"At that point, the hard drive wasn't functioning, but when our techs put it in another computer, they could pull up the file, and yes, it contained that information," Gomez said.
Last week, 27,000 active employees and 3,400 former employees were notified. Intermountain said it would pay for credit monitoring for anyone who was worried, human-resource director Nancy Adams said. Intermountain also set up a dedicated hotline for anyone with concerns about what was being done to protect them. Adams said they've had 79 calls.
Intermountain Healthcare stopped using Social Security numbers to identify employees two or three years ago, assigning each employee a randomly selected identification number, Adams said.
As a result of this incident, Intermountain no longer "scrubs" hard drives when computers are no longer to be used. The company has a contract with Dell to physically demolish the hard drives, she said.