Cancer Center Reports 2nd Data Breach

Both Incidents Involved Mobile Devices

By , August 20, 2012.
Cancer Center Reports 2nd Data Breach

The University of Texas MD Anderson Cancer Center has reported its second data breach since April involving an unencrypted mobile device.

See Also: How Cybercriminals Use Phone Scams To Take Over Accounts and Commit Fraud

The latest incident, which occurred in July, affected about 2,220 patients and involved a USB thumb drive. An April laptop incident affected 30,000 individuals.

In the latest breach, the Houston-based cancer center says a thumb drive containing patient data and research information was lost on one of its shuttle buses on July 13. After learning of the incident on July 14, the cancer center says it launched a search for the missing device and conducted a thorough investigation, but it did not locate the missing drive, according to a statement on its website.

Data on the drive included patient names, dates of birth and medical record numbers, plus diagnosis, treatment and research information. No Social Security numbers or financial information was on the drive, the cancer center reports. The organization began mailing letters August 17 to notify those affected.

In the April breach, which was revealed in late July, an unencrypted laptop computer was stolen from a faculty member's home (see: Stolen Laptop Affects 30,000 Patients). The theft was reported to local police, and the cancer center was alerted on May 1. A detailed review with outside forensic experts confirmed patient information, including names, medical record numbers, treatment and research information, as well as some Social Security numbers, were on the stolen device.

At the time the April breach was revealed in July, MD Anderson said it was accelerating its efforts to encrypt all computers and was reinforcing privacy training of its employees. The cancer center restated those plans in the statement issued in the wake of the latest breach. But the organization declined to provide further details.

Because the latest breach did not involve Social Security numbers, no credit monitoring services are being offered to affected patients. However, MD Anderson is providing free credit monitoring services to those patients whose Social Security numbers were exposed in the April breach.

Encryption in the Spotlight

The loss or theft of unencrypted mobile computing devices continues to be the Achilles heel for many healthcare organizations.

As of late July, 54 percent of the major breach incidents reported since September 2009 to the U.S. Department of Health and Human Services' Office for Civil Rights involved the loss or theft of unencrypted computing devices or media (see: Health Breaches: 20.8 Million Affected).

While a lack of encryption has been the culprit in many breaches, Carl Gunter, professor of computer science at the University of Illinois at Urbana-Champaign, says awareness of the importance of encryption is starting to improve.

"We do see some improvement in doing routine things, like making sure a laptop is encrypted to mitigate risk," he says. And as encryption technologies continue to improve, that will help reduce risk, he adds.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Reversal of Fortune: DHS Funding Approved

Congress has voted to fund the Department of Homeland Security through September, the end of the...

Latest Tweets and Mentions

ARTICLE Reversal of Fortune: DHS Funding Approved

Congress has voted to fund the Department of Homeland Security through September, the end of the...

The ISMG Network