While Social Security numbers are increasingly common, a medical record of cancer or AIDS patients is worth its weight in gold, Pam Dixon, executive director of the World Privacy Organization, told internetnews.com. "Cancer patients are big money." The reason: fraudulent medical charges can easily hide among the many legitimate costs.
The stolen computer belonged to Cincinnati-based Electronic Registry Systems (ERS), a private company that maintains federally mandated cancer patient records. The computer contained the records from five hospitals, three of which are in Georgia, Tennessee and Pennsylvania. ERS refused to identify the other two.
Responding to the incident, Emory advised patients to place a fraud watch on their credit records, which is a common reaction to data breaches.
Despite assurances that the computer had two passwords and the data was encrypted and usable only with proprietary ERS software, Dixon said gaining access was a simple matter.
"We're beyond that level of innocence," she said, adding that files could be read and copied and leave no fingerprints.
ERS said the patient data was stored on the computer unencrypted to convert the information to its proprietary format. As a result of the theft, the company said it has made changes to improve security.