Cord Blood Registry Settles with FTC Over Privacy Breach
CBR Systems has agreed to submit to independent security audits every other year for 20 years.
The Cord Blood Registry (CBR Systems) recently agreed to settle FTC charges that it failed to protect its customers' personal information, leading to a December 2010 breach that exposed approximately 298,000 CBR customers' personal data, including Social Security numbers and credit card numbers.
Under the terms of the settlement, the Cord Blood Registry will have to implement a comprehensive information security program and submit to independent security audits every other year for 20 years.
"The FTC's complaint against CBR Systems, which stores umbilical cord blood and tissue, dates to December 2010, when unencrypted backup tapes, a laptop and other equipment were stolen from an employee's car, according to the commission," writes CIO's Kenneth Corbin. "As a result, sensitive health information, credit card and Social Security numbers and other data were compromised, and the laptop and a hard drive that were stolen included passwords and protocols that could have provided access to CBR Systems' internal network."
"While there are no rules generally regarding how personal information must be safeguarded, the FTC pursues companies that are particularly sloppy or which promise to safeguard clients' personal information and then do not," writes Reuters' Diane Bartz.
"A spokeswoman for CBR Systems, based in San Bruno, Calif., said the FTC has not alleged that the data from the theft was improperly accessed or used," writes Modern Healthcare's Jaimy Lee. "She also said the settlement did not include monetary penalties and did not require an admission that the law was violated."