Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Stolen backup media causes health data breach at Cancer Care Group

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 31 Aug 2012 04:51:10 -0500 (CDT)
http://ehrintelligence.com/2012/08/28/stolen-backup-media-causes-health-data-breach-at-cancer-care-group/

By Kyle Murphy, PhD
EHR Intelligence
August 28, 2012
In a press release today, Cancer Care Group (Indianapolis, IN) announced that a laptop computer containing its computer server backup media was stolen from an employee’s locked care on July 19, 2012. The breach has potentially exposed the protected health information (PHI) or personally identifiable information (PII) of close to 55,000 individuals, including the organization’s own employees. The latest incident comes less than a month after Apria Healthcare reported a similar incident in Arizona where an employee’s car was broken into and a laptop containing information for 11,000 patients stolen.
Details about the theft, which was reported to the authorities, are still scarce. A spokesman for Cancer Care Group has indicated that the group doesn’t know if the contents of the backup media motivated the theft. Moreover, there is no indication that the theft has led to the authorized use of patient or employee data. These data comprise information include names, addresses, dates of birth, and Social Security numbers for both parties as well as medical and insurance information for patients and beneficiary, employment, or financial information for employees.
As a result of the health data breach, Cancer Care Group is reviewing its security measures although it’s unclear what safeguards were actually in place at the time of the theft. “Cancer Care Group is encrypting all mobile media, updating policies and procedures, upgrading data storage technology, and re-educating our workforce on safety with mobile media,” notes spokesman Clyde Lee, “Some of these steps already were underway at the time this incident occurred.” Wouldn’t an organization that has encrypted its data make sure to indicate that clearly when news of a breach breaks? It seems unnecessary to broach the subject of encryption unless this protection were lacking from the stolen hardware. Given the tendency for employees to carry valuable patient information offsite, encryption is a logical choice for healthcare organizations. In the case of Cancer Care Group, that the employee had the ability to carry backup media outside the organization’s walls appears to be a serious administrative, let alone physical, oversight. 

[...]
Previous By Date Next
Previous By Thread Next

Current thread: