Stolen Laptop Affects 30,000 Patients

SSNs Included in Compromised Data
Stolen Laptop Affects 30,000 Patients

The University of Texas MD Anderson Cancer Center is notifying 30,000 patients of a data breach after an unencrypted laptop was stolen from a faculty member's home.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

According to a notice posted on MD Anderson's website, the laptop was stolen on April 30. The Houston-based organization was notified about the incident on May 1. The cancer center then contacted outside forensics experts and began an investigation to find out what data was contained on the laptop.

Information that may have been on the laptop includes patient names, medical record numbers, treatments, research information, and in some instances Social Security numbers, the notice explained.

Breach Response

As a result of the breach, MD Anderson is taking steps to encrypt all computers. "This technology scrambles each computer's data to make it more difficult for unauthorized users to retrieve any information," the notice says.

"We also are reinforcing with all employees our privacy policies in the handling of patient information."

Notices were mailed to affected patients on June 28.

The organization is providing complimentary credit monitoring services to affected patients, although a spokeswoman for the organization couldn't specify for how long.

Lack of Encryption: A Common Issue

The lack of encryption around laptops and other mobile devices is a well-known issue, says security consultant Rebecca Herold of Rebecca Herold & Associates. "The hospitals and clinics I'm working with are constantly battling this," she says. "The CISOs and CPOs I know understand the risks and are trying to get encryption rolled out to all mobile devices."

But the problem, Herold says, comes with physicians and their staffs who think it takes too long to install encryption software to equipment which, as a result, may disrupt patient care. Also, hospital staffers continue to use their personal mobile devices in addition to the ones provided by the hospital. This in turn leads to accumulated PHI on these devices and often IT personnel aren't aware of it, Herold explains.

"Often, hospital executives who have closer communications with their physicians than they do with their IT folks don't understand the real risks involved with clear text PHI in mobile devices," Herold says. "Physicians, nurses and their staff often overestimate their information security understanding, and then do things without realizing they're laying the groundwork for a breach."

HHS Tracking of Healthcare Breaches

The Department of Health and Human Services' Office for Civil Rights maintains a federal tally of individuals affected by major information breaches after it conducts an investigation and confirms the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.

More than half of all the major breaches reported since the rule went into effect have involved lost or stolen unencrypted electronic devices or media. By comparison, only about 7 percent have involving a hacker attack. About 22 percent of the breaches have involved a business associate.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.