Cancer Center Reports 2nd Data BreachBoth Incidents Involved Mobile Devices
The University of Texas MD Anderson Cancer Center has reported its second data breach since April involving an unencrypted mobile device.
See Also: HIPAA Audits: A Revised Game Plan
The latest incident, which occurred in July, affected about 2,220 patients and involved a USB thumb drive. An April laptop incident affected 30,000 individuals.
In the latest breach, the Houston-based cancer center says a thumb drive containing patient data and research information was lost on one of its shuttle buses on July 13. After learning of the incident on July 14, the cancer center says it launched a search for the missing device and conducted a thorough investigation, but it did not locate the missing drive, according to a statement on its website.
Data on the drive included patient names, dates of birth and medical record numbers, plus diagnosis, treatment and research information. No Social Security numbers or financial information was on the drive, the cancer center reports. The organization began mailing letters August 17 to notify those affected.
In the April breach, which was revealed in late July, an unencrypted laptop computer was stolen from a faculty member's home (see: Stolen Laptop Affects 30,000 Patients). The theft was reported to local police, and the cancer center was alerted on May 1. A detailed review with outside forensic experts confirmed patient information, including names, medical record numbers, treatment and research information, as well as some Social Security numbers, were on the stolen device.
At the time the April breach was revealed in July, MD Anderson said it was accelerating its efforts to encrypt all computers and was reinforcing privacy training of its employees. The cancer center restated those plans in the statement issued in the wake of the latest breach. But the organization declined to provide further details.
Because the latest breach did not involve Social Security numbers, no credit monitoring services are being offered to affected patients. However, MD Anderson is providing free credit monitoring services to those patients whose Social Security numbers were exposed in the April breach.
Encryption in the Spotlight
The loss or theft of unencrypted mobile computing devices continues to be the Achilles heel for many healthcare organizations.
As of late July, 54 percent of the major breach incidents reported since September 2009 to the U.S. Department of Health and Human Services' Office for Civil Rights involved the loss or theft of unencrypted computing devices or media (see: Health Breaches: 20.8 Million Affected).
While a lack of encryption has been the culprit in many breaches, Carl Gunter, professor of computer science at the University of Illinois at Urbana-Champaign, says awareness of the importance of encryption is starting to improve.
"We do see some improvement in doing routine things, like making sure a laptop is encrypted to mitigate risk," he says. And as encryption technologies continue to improve, that will help reduce risk, he adds.