300,000 Alerted to Stem Cell Bank BreachStolen Backup Tapes Contained Credit, Not Health, Information
The backup tapes, along with a computer and other property, were stolen in December from a employee's locked car. In its letter to clients, the registry says, "The stolen tapes may have contained your name, Social Security number, driver's license number, credit card information and/or credit expiration date. The stolen computer contained no personal information."
The registry, which has completed more than 350,000 umbilical cord blood collections, says it has no evidence that the information on the tapes has been accessed or misused. "We do not believe that the tapes were the target of the theft, and we believe that it is unlikely than an identity theft will occur from this situation," the letter states.
Credit ProtectionHowever, the registry is offering those potentially affected one year's worth of free credit protection as part of its risk management effort. "We recognize that the loss of unencrypted data poses a risk, and that's why we sent out notices to our customers," a company spokesman says.
Because no medical information was on the tapes, the incident does not fall under the HITECH Act breach notification rule, which requires the reporting of health information security incidents. The registry is notifying those potentially affected in compliance with many state breach notification and information security laws, the spokesman says.
"CBR has strengthened and tightened our data security procedures," the spokesman adds. "We hired security experts and implemented a number of improvements to protect our client data."
PCI-DSS StandardThe Payment Card Industry Data Security Standard, which applies to all merchants that accept credit and debit card transactions, including healthcare organizations, describes how stored credit card data must be protected. The PCI Security Standards Council, which offers education on PCI-DSS, suggests: "In general, no payment card data should ever be stored by a merchant unless it's necessary to meet the needs of the business." The council offers a detailed list of "do's" and "don'ts" for storage.
The major credit card companies created the PCI standard, which specifies several high-level security controls that all organizations handling payment card data are required to implement (See: PCI Training Gets High Marks).