One of the most revered institutions in the state of Texas is the University of Texas M.D. Anderson Cancer Center. It’s one of the most famous hospitals in the world. Depending on which list you check, M.D. Anderson is ranked either #1 or #2 in the country for cancer treatment. People have been known to travel from every corner of the world to be treated at this center.
With such a stellar reputation for achieving great success in patient care, it’s a shame to see a black mark on the company’s name. This black mark comes from a patient breach of trust that occurred in April 2012 when an M.D. Anderson laptop computer that contained information on 30,000 patients was stolen from a hospital employee’s home. The data on the hard disk was encrypted and included:
- Medical record numbers
- Patient names
- Social Security numbers
- Treatment and research information
While authorities do not believe the theft was deliberately committed in order to attain the data, that’s little comfort to the tens of thousands of patients who must deal with the stress of potential identity theft on top of the stress of cancer treatment.
And now, like the cancers that the center treats every day, the black mark on the hospital’s reputation has spread: on Friday the state announced another data breach involving patient data. This time, a flash drive containing confidential information on 2,200 patients was lost July 13 on a cancer center shuttle bus. The center launched a search for the portable USB thumb drive the next day but never found it. The Houston Chronicle reports that the unencrypted data on the lost drive included patients' names, dates of birth, medical record numbers and diagnoses, and treatment and research information. It did not contain Social Security numbers or financial information.
One breach is bad enough, but two is inexcusable. Especially when the unencrypted data drives containing such sensitive information are off-network and in the hands of workers who apparently don’t feel an urgency to protect what they have in their possession. But I don’t find fault with the hapless employees nearly as much as I do the hospital’s IT Department, which failed to learn a lesson from the April breach in time to apply it before the July breach could happen.
Several questions come to mind:
- Why was this sensitive data not encrypted?
- Why were employees allowed to transport sensitive data on portable devices?
- What kind of policies does the hospital have in place to address data security and HIPAA regulations?
- Are M.D. Anderson employees required to complete security awareness training?
These breaches weren’t the least bit sophisticated. It’s disappointing that the hospital didn’t implement basic security measures that would protect the data if an unauthorized user were to try to access it. Who knows where the thumb drive and the laptop are today, and who knows who may have perused the patient data on those devices? It would be a real tragedy if any patients suffer identity theft due to these incredible acts of carelessness.
Let this be a lesson to anyone responsible for data security: invest in basic data encryption and/or tokenization solutions and apply it to sensitive data. There’s never a good excuse for sensitive data like this to be in the clear.