[ISN] Stolen backup media causes health data breach at Cancer Care Group

From: InfoSec News <alerts_at_private>
Date: Fri, 31 Aug 2012 04:51:10 -0500 (CDT)
http://ehrintelligence.com/2012/08/28/stolen-backup-media-causes-health-data-breach-at-cancer-care-group/

By Kyle Murphy, PhD
EHR Intelligence
August 28, 2012

In a press release today, Cancer Care Group (Indianapolis, IN) announced 
that a laptop computer containing its computer server backup media was 
stolen from an employee’s locked care on July 19, 2012. The breach has 
potentially exposed the protected health information (PHI) or personally 
identifiable information (PII) of close to 55,000 individuals, including 
the organization’s own employees. The latest incident comes less than a 
month after Apria Healthcare reported a similar incident in Arizona 
where an employee’s car was broken into and a laptop containing 
information for 11,000 patients stolen.

Details about the theft, which was reported to the authorities, are 
still scarce. A spokesman for Cancer Care Group has indicated that the 
group doesn’t know if the contents of the backup media motivated the 
theft. Moreover, there is no indication that the theft has led to the 
authorized use of patient or employee data. These data comprise 
information include names, addresses, dates of birth, and Social 
Security numbers for both parties as well as medical and insurance 
information for patients and beneficiary, employment, or financial 
information for employees.

As a result of the health data breach, Cancer Care Group is reviewing 
its security measures although it’s unclear what safeguards were 
actually in place at the time of the theft. “Cancer Care Group is 
encrypting all mobile media, updating policies and procedures, upgrading 
data storage technology, and re-educating our workforce on safety with 
mobile media,” notes spokesman Clyde Lee, “Some of these steps already 
were underway at the time this incident occurred.” Wouldn’t an 
organization that has encrypted its data make sure to indicate that 
clearly when news of a breach breaks? It seems unnecessary to broach the 
subject of encryption unless this protection were lacking from the 
stolen hardware. Given the tendency for employees to carry valuable 
patient information offsite, encryption is a logical choice for 
healthcare organizations. In the case of Cancer Care Group, that the 
employee had the ability to carry backup media outside the 
organization’s walls appears to be a serious administrative, let alone 
physical, oversight.

[...]
Received on Fri Aug 31 2012 - 02:51:10 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 31 2012 - 02:53:49 PDT