MD Anderson Cancer Center Acknowledges Security Breach
An unencrypted laptop containing sensitive information on 30,000 patients was stolen from a doctor's home.
The University of Texas MD Anderson Cancer Center recently announced that an unencrypted laptop was stolen from a physician's home two months ago. "After a detailed review with outside forensics experts, we have confirmed that the laptop may have contained some of our patients’ personal information, including patients’ names, medical record numbers, treatment and/or research information, and in some instances Social Security numbers," MD Anderson said in a statement.
"One day after the unencrypted laptop disappeared from the physician's home on April 30, hospital officials contracted forensic experts to determine what exactly the device contained," writes SC Magazine's Greg Masters. "Although the investigation determined that there was information on around 30,000 patients, the facility opted to not notify patients until it had a 'high degree of certainty' regarding the information because it didn't want 'to create unnecessary anxiety.'"
"The computer has not been recovered," writes The Houston Chronicle's Eric Berger.
"The cancer center is offering credit monitoring services for those whose Social Security numbers were compromised and taking steps to better secure all MD Anderson computers and the patient data held within them," writes Threatpost's Anne Saita. "Additionally, hospital officials say they will reinforce privacy policies so all employees properly handle patient data."
"The news is just the latest chapter in what seems to be an ongoing medical data-breach saga," notes FierceHealthIT's Dan Bowman. "Last month, the personal information of more than 2,100 Boston Children's Hospital patients was put in jeopardy after an employee lost a laptop containing unencrypted health information while attending a conference in Buenos Aires. Meanwhile, personal data on more than more than 228,000 Medicaid recipients in South Carolina was put at risk in early April when a state Department of Health & Human Services employee sent the information to his personal, unsecured email account."