Stolen backup media causes health data breach at Cancer Care Group

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://ehrintelligence.com/2012/08/28/stolen-backup-media-causes-health-data-breach-at-cancer-care-group/

By Kyle Murphy, PhD
EHR Intelligence
August 28, 2012

In a press release today, Cancer Care Group (Indianapolis, IN) announced 
that a laptop computer containing its computer server backup media was 
stolen from an employee?s locked care on July 19, 2012. The breach has 
potentially exposed the protected health information (PHI) or personally 
identifiable information (PII) of close to 55,000 individuals, including 
the organization?s own employees. The latest incident comes less than a 
month after Apria Healthcare reported a similar incident in Arizona where 
an employee?s car was broken into and a laptop containing information for 
11,000 patients stolen.

Details about the theft, which was reported to the authorities, are still 
scarce. A spokesman for Cancer Care Group has indicated that the group 
doesn?t know if the contents of the backup media motivated the theft. 
Moreover, there is no indication that the theft has led to the authorized 
use of patient or employee data. These data comprise information include 
names, addresses, dates of birth, and Social Security numbers for both 
parties as well as medical and insurance information for patients and 
beneficiary, employment, or financial information for employees.

As a result of the health data breach, Cancer Care Group is reviewing its 
security measures although it?s unclear what safeguards were actually in 
place at the time of the theft. ?Cancer Care Group is encrypting all 
mobile media, updating policies and procedures, upgrading data storage 
technology, and re-educating our workforce on safety with mobile media,? 
notes spokesman Clyde Lee, ?Some of these steps already were underway at 
the time this incident occurred.? Wouldn?t an organization that has 
encrypted its data make sure to indicate that clearly when news of a 
breach breaks? It seems unnecessary to broach the subject of encryption 
unless this protection were lacking from the stolen hardware. Given the 
tendency for employees to carry valuable patient information offsite, 
encryption is a logical choice for healthcare organizations. In the case 
of Cancer Care Group, that the employee had the ability to carry backup 
media outside the organization?s walls appears to be a serious 
administrative, let alone physical, oversight.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.