This is an archived article that was published on sltrib.com in 2006, and information in the article may be outdated. It is provided only for personal research purposes and may not be reprinted.
Posted: 4:23 PM- Intermountain Healthcare is accustomed to touting its sophisticated electronic records system. But now the health care giant is having to explain how an old laptop containing the names, job titles, Social Security numbers and telephone numbers of 6,244 employees was donated to a secondhand store and sold for $20.
The 14-year-old machine, supposedly scrubbed of all its information, was given to Deseret Industries and sold six weeks ago to Tammera Funaro's father-in-law. Funaro, of Kearns, put the gift under her bed, and, about three weeks ago, decided to see if it worked.
"I just plugged it in, opened it up and there it was," Funaro said of the Intermountain file. "At first it looked like a few Social Security numbers, but I kept scrolling and scrolling over 6,000 names. . . . It was almost heartbreaking to realize how many lives could have been destroyed."
Funaro should know. Someone once stole her debit card and another person was arrested using her driver license, she said. Funaro, nervous about her discovery, took the laptop to television station KUTV, which returned it to Intermountain.
LDS Hospital spokesman Jess Gomez, whose Social Security number was on the laptop, said the breach was an anomaly and the file was not used inappropriately. The laptop was taken out of service in 2002 and run through software designed to destroy data, which was Intermountain's protocol for retiring computers at that time, Gomez said.
"Unfortunately, the software erased everything but this one file," he said, not knowing why the one file remained intact.
The computer was then given to an employee, who had it in storage until last month, when it was donated to Deseret Industries, Gomez said.
In 2003, Intermountain changed its protocol for retiring computers and contracted with Dell to destroy rather than scrub discarded hard drives. Because the computer in question had been out of Intermountain's possession since 2002, it did not go through the current protocol of having its hard drive destroyed, Gomez said.
Up to 150 million computer hard drives are discarded annually in the United States, and as many as half of them likely have sensitive files that can be recovered, according to a 2003 Massachusetts Institute of Technology investigation. Even data on "erased" hard drives can be retrieved.
MIT graduate students acquired 158 used hard drives from eBay and used-computer stores. Of those, only 12 were properly erased and 49 contained information such as medical records and credit card numbers. One computer had been used to power an ATM and contained a year's worth of transactions - account numbers and all.
Deseret Industries, a charitable thrift store owned by The Church of Jesus Christ of Latter-day Saints, said it is not responsible for data left on computers.
"We assume that donors have taken steps to eliminate personal data from hard drives before donating them to Deseret Industries," LDS Church spokesman Dale Bills said.
The Intermountain computer, though scrubbed of most files, contained a spreadsheet of information on employees who worked at LDS, Cottonwood and Alta View hospitals as well as The Orthopedic Specialty Hospital between 1999 and 2000.
Funaro said she was astonished to discover that one of Utah's largest employers could be so careless. "If it was my information, I would have been hysterical," she said. Gomez also was surprised to learn his information was on the laptop - and relieved that Funaro acted responsibly. Intermountain, which stopped identifying employees by their Social Security numbers three years ago, has alerted about 30,000 current and former employees about the incident and about a dozen have signed up for free credit monitoring, Gomez said.
All other "retired" computers are accounted for, Gomez said.
"Keep in mind this is a 14-year-old computer that sat in storage until last month when it was donated to DI," Gomez said. "We feel very confident 'after talking to the customer" that no information was compromised in any way.
"This was a really unique situation." Perhaps that is true for Intermountain, but it is surprising how much information customers leave on throw-away computers and trade-ins, said Dan Young, CEO of PC Laptops. His eight-store chain of new and used computer shops receives hundreds of used PCs every year.
Usually, trade-ins are treated by installing a new operating system, Young said. And flawed hard drives? "We take a sledge hammer to them . . . or punch it through several times with a screwdriver."
At a minimum, he said, people selling or donating computers should erase all their files and then reformat the hard drive. Zbigniew Ciutek, chief technician at Salt Lake City's Computer Re-Nu (formerly Computer Renaissance), recommends any of the free programs available for downloading from the Internet - programs with names like Active Eraser, Fast Eraser, Wipe Expert.
"And if there's something really important on there . . . a new hard drive is pretty cheap to get nowadays," Ciutek said. But, as a Florida retiree recently discovered, no system is foolproof.
Hank Gerbus, whose story appeared on television and later on MSNBC.com, had his hard drive replaced at a Cincinnati Best Buy in July 2005. Seven months later, a stranger called to say he had just purchased the old hard drive at a Chicago flea market for $25.
Gerbus knew the damaged hardware contained details of his retirement investments and asked Best Buy if he could keep it. The electronics retailer refused but promised workers would drill holes in it and make it inoperable.
For his trouble, Best Buy gave Gerbus a $250 gift card.
As for Funaro, Intermountain gave her a $50 certificate to Olive Garden.