Cancer Care Group Suffers Security Breach


Indiana's Cancer Care Group (CCG) recently acknowledged that backup media containing information on 55,000 patients and employees was stolen from an employee's car on July 19. The data included patient names, addresses, dates of birth, Social Security numbers, medical record numbers, insurance information and clinical information; and employees' dates of birth, Social Security numbers, and beneficiary names.

"There is no evidence to believe that the back-up media were the target of the theft or that any of the information on the media has been accessed or used for fraudulent purposes," CCG stated in a notice on its Web site. "Cancer Care Group assures its patients and employees that it took immediate steps to investigate and attempt to recover the back-up media. A police report was filed and patients and employees are being notified. Unfortunately, the back-up media have not yet been recovered."

"Furthermore, the Cancer Care Group’s representatives claim that they’re in the process of adding encryption and other security mechanisms to all their computing devices to prevent misuse in case they get stolen," writes Softpedia's Eduard Kovacs.

"Whilst we mustn't forget that CCG is the victim of a crime here, we also have to ask, 'Why would anyone, ever, leave an unencrypted laptop unattended in a car?' That's like running a public-facing blog using WordPress 1.5.2 on an unpatched Windows 2000 server," writes Sophos' Paul Ducklin.

"The physician group is one of the biggest privately owned radiation oncology programs in the U.S., with 21 locations throughout the state of Indiana," writes Healthcare IT News' Erin McCann. "The July Cancer Care Group data breach is the fourth largest data breach of 2012. It stands behind similar incidents at Utah Department of Health, involving the PHI of 780,000 individuals; Emory Healthcare, involving the PHI of an estimated 315,000 individuals; and South Carolina Department of Health, involving PHI of 228,000 individuals."