Yottabytes: Storage and Disaster Recovery

Aug 31 2012   3:11PM GMT

MD Anderson Cancer Center Loses Patient Data *Again*



Posted by: Sharon Fisher
Tags:
data storage
encryption
flash drives
memory stick
thumb drives

For the second time this year, and the third time since 2006, MD Anderson Cancer Center in Texas has had to alert patients that it had lost access to their personal data.

“On July 14, 2012, MD Anderson learned that on July 13 a trainee lost an unencrypted portable hard drive (a USB thumb drive) on an MD Anderson employee shuttle bus,” the company reported earlier this month. “We immediately began a search for the device and conducted a thorough investigation. Unfortunately, the USB thumb drive has not been located.” In the thank goodness for small favors department, the data did not include Social Security numbers. Some 2,200 patients were affected.

Similarly, on June 28, the company announced a previous breach. “On April 30, 2012, an unencrypted laptop computer was stolen from an MD Anderson faculty member’s home. The faculty member notified the local police department. MD Anderson was alerted to the theft on May 1, and immediately began a thorough investigation to determine what information was contained on the laptop. After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers. We have no reason to believe that the laptop was stolen for the information that it contained. We have been working with law enforcement, but to date the laptop has not been located.” Another 30,000 patient notifications.

This follows a 2006 notification incident where private health information and Social Security numbers of nearly 4,000 patients of were at risk after a laptop containing their insurance claims was stolen the previous November at the Atlanta home of an employee of PricewaterhouseCoopers, an accounting firm reviewing the patient claims.

It’s not uncommon that medical facilities lose data. It’s not even uncommon that they lose it more than once. But twice in a single year? Come on, people.

Security experts were unsympathetic.

“Wow, is that dumb,” international cyber security expert Bruce Schneier told the Houston Chronicle. “This isn’t complicated. This is kindergarten cryptography. And they didn’t do it. I’d be embarrassed if I were them. Of course, it’s not them whose privacy could be violated. It’s the innocent patients who trusted them. To be fair,” he said in an email, “the drive could simply be lost and will never be recovered. We don’t know that patient information was leaked. But it’s still shockingly stupid of the hospital.”

“The university says that it’s going to start giving out encrypted USB drives to employees and plans on reinforcing patient data safety practices,” writes Patrick Ouellette of EHR Intelligence. “Of course, Anderson also said back on June 28 that it “takes this incident very seriously and is committed to protecting patient privacy” while offering the same promises to improve data security. Letting unencrypted USB devices float around among trainees is not the best way to follow through with those plans.”

The center said it was beginning a several-month plan to encrypt all the computers at the hospital, and that 26,000 had been encrypted thus far. The hospital has also ordered 5,000 encrypted thumb drives. In addition, employees will receive training on thumb drives and security.

If nothing else, at least MD Anderson is apparently in good company. “According to a records search of the Privacy Rights Clearinghouse, which keeps a running tab on data breaches and the like, so far this year 387 357 medical-related records have been compromised in 68 reported incidents involving lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc,” writes IEEE Spectrum. “Last year there were 66 such breaches with 6 130 630 records compromised.”

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: