AMR, the parent company of American Airlines, ran into some choppy air last month when it discovered a key hard drive containing the names, birth dates and Social Security numbers of thousands of current and former employees was stolen from its headquarters.

As eSecurity Planet discovered, this latest high-profile data breach impacted current and former employees dating as far back as 1960. So far, company officials said the compromised data has not been used to steal the identities of any of the affected workers.

Earlier this year, independent data security researcher and consulting firm Ponemon Institute estimated that more than 800,000 portable storage devices were stolen or misplaced last year, a fact that's led state and federal lawmakers to pass more stringent legislation holding companies accountable for safeguarding employee and customer data.

In one of the largest data breaches in recent months, AMR, the parent company of American Airlines, said it's now in the process of notifying more than 79,000 current, former and retired employees that a hard drive containing their most sensitive personal information was stolen for its corporate headquarters in Fort Worth, Texas.

AMR (NYSE: AMR) officials said the purloined drive contained images of microfilm files that stored data such as employees' names, address, birth dates, Social Security numbers and what it described as "limited" bank account information.

The data breach was discovered on June 4, according to AMR, and the company last week began mailing out notification letters to all affected employees and retirees. The data was compiled by the company's pension department and also included health insurance information, including the names and personal information of employees' beneficiaries.

The company is offering a free year of credit-monitoring services and, in a statement, said it has initiated new security procedures at its headquarters to prevent future data breaches of this magnitude.

The files contained extensive amounts of protected medical and financial information. They were not encrypted because a back-up process for the files did not permit them to be encrypted. Specialized technology and knowledge, however, are required to access the files, according to the hospital.

The hospital has prominently placed a notice of the breach on its Web site, along with a sample notification letter, the steps affected individuals can take to protect their medical and financial information, and a Q&A page. The hospital also has notified state and federal authorities.

The investigation continues and official letters of notification to affected individuals will start going out in four to six weeks, according to a hospital spokesperson. The sample notification letter does not include a hospital offer to provide free credit and identity theft protection services. Once the investigation is complete, the hospital will determine whether such services will be offered, and the sample notification letter is subject to change before being mailed to individuals, according to the spokesperson.

What follows is the hospital's official notice of the breach on its Web site:

"South Shore Hospital today reported that back-up computer files containing personal, health and financial information may have been lost by a professional data management company. The hospital had engaged the company to destroy the files because they were in a format the hospital no longer uses. The hospital has no evidence that information on the back-up computer files has been accessed by anyone. An independent information-security consulting firm has confirmed that specialized software, hardware, and technical knowledge and skill would be required to access and decipher information on the files.

"Based upon South Shore Hospital's investigation so far, the back-up computer files could contain personally identifiable information for approximately 800,000 individuals. Included among those individuals are patients who received medical services at South Shore Hospital – as well as employees, physicians, volunteers, donors, vendors and other business partners associated with South Shore Hospital – between January 1, 1996 and January 6, 2010. The information on the back-up computer files may include individuals' full names, addresses, phone numbers, dates of birth, Social Security numbers, driver's license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the back-up computer files.

"South Shore Hospital's back-up computer files were shipped for offsite destruction on February 26, 2010. When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed.

"South Shore Hospital immediately launched an investigation when it learned that its back-up computer files may have been lost. The investigation has included working with the data management company and shippers to search for the missing back-up computer files, taking steps to verify the scope and types of information contained in the back up computer files, and assessing the possibility that someone could access that information. South Shore Hospital has advised the MA Attorney General's office, the MA Department of Public Health, and the US Department of Health and Human Services about this matter. The hospital also has ceased the offsite destruction of back-up computer files and is putting in place policies to ensure that a similar situation cannot occur. The investigation into the matter remains ongoing.

"I am deeply sorry that these files may have been lost," said Richard H. Aubut, South Shore Hospital president and chief executive officer. "Safeguarding confidentiality is fundamental to our mission of healing, caring and comforting. I recognize that this situation is unacceptable and would like to personally apologize to all those who have trusted us with their sensitive information."

"South Shore Hospital is working to verify whose information may have been on the missing back-up computer files. Formal notification letters will be sent to them in the next several weeks.  In the meantime, a sample individual notification letter has been posted.  While there is no evidence that information on the back-up computer files has been improperly accessed, individuals may take steps to protect themselves, such as obtaining a free credit report, which can be done by visiting www.annualcreditreport.com or calling (877) 322-8228 toll free, or placing a fraud alert on their credit report with one of the three major credit reporting agencies (Equifax, Experian and TransUnion Corp).

"Information about this matter is posted to South Shore Hospital's website at www.southshorehospital.org and is available through a special automated toll-free Information Line at (877) 309-0176."

–Joseph Goedert

For more information on related topics, visit the following channels:

·         Consumer Health

·         Data Security

·         Electronic Health Records

·         Policies/Regulation

·         Stimulus

·         Hospitals