Healthcare News & Insights

Unencrypted backup tapes, hard drives and laptop stolen from health employee’s car

Any time data goes mobile, there’s a risk of a data breach. That’s what this company learned after several pieces of IT equipment were stolen from an employee’s car. 

Cbr Systems, a cord blood blank based in San Bruno, CA, recently entered into a settlement with Federal Trade Commission (FTC) after an incident in which personal information about nearly 300,000 people was breached.

According to the FTC complaint, the data breach occurred when unencrypted backup tapes, a laptop, a portable hard drive, a USB drive and other Cbr IT equipment were stolen from an employee’s car.

All those tech gadgets contained a wealth information with a lot of value for identity thieves and cyber criminals, including Social Security numbers, credit and debit card numbers, contact information, medical history, and other sensitive information about donors.

Cbr also runs several websites with information about pregnancy and parenting, some of which require visitors to enter personal information in order register and view the pages. Some of that information was also contained on the stolen equipment.

And finally, the stolen equipment stolen also contained information about the company’s network that might be useful for future hacking attacks, including passwords and network protocols.

Although the settlement included no civil penalties, Cbr did agree to improve its security practices. According to the FTC, the company failed to implement reasonable policies and procedures to protect sensitive information and was at fault for allowing data to be transported in a way that made them susceptible to theft, and failed to encrypt the information or otherwise make it unreadable to unauthorized people.

Lesson: Don’t keep unneeded data

Theft of portable devices is a common theme in healthcare data breaches. But this incident also contains a valuable lesson for healthcare organizations: It’s critical to be aware of what information is being stored and to have a process in place to make sure that data is deleted when it’s no longer needed.

In addition to the other allegations, the FTC argued that Cbr kept too much information for which it had no business need, and failed to make sure service providers were destroying information that was no longer needed.

Organizations should:

  • Never collect more sensitive information than they need
  • Have policies pertaining to how long different types of data should be held, and make sure it’s deleted after that point, and
  • Periodically audit data to find and delete unnecessary information.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.