300,000 Alerted to Stem Cell Bank Breach

Stolen Backup Tapes Contained Credit, Not Health, Information
300,000 Alerted to Stem Cell Bank Breach
Some 300,000 clients of the Cord Blood Registry, a stem cell bank, have been notified of a personal information breach involving stolen unencrypted backup tapes. No health information was involved.

The backup tapes, along with a computer and other property, were stolen in December from a employee's locked car. In its letter to clients, the registry says, "The stolen tapes may have contained your name, Social Security number, driver's license number, credit card information and/or credit expiration date. The stolen computer contained no personal information."

The registry, which has completed more than 350,000 umbilical cord blood collections, says it has no evidence that the information on the tapes has been accessed or misused. "We do not believe that the tapes were the target of the theft, and we believe that it is unlikely than an identity theft will occur from this situation," the letter states.

Credit Protection

However, the registry is offering those potentially affected one year's worth of free credit protection as part of its risk management effort. "We recognize that the loss of unencrypted data poses a risk, and that's why we sent out notices to our customers," a company spokesman says.

Because no medical information was on the tapes, the incident does not fall under the HITECH Act breach notification rule, which requires the reporting of health information security incidents. The registry is notifying those potentially affected in compliance with many state breach notification and information security laws, the spokesman says.

"CBR has strengthened and tightened our data security procedures," the spokesman adds. "We hired security experts and implemented a number of improvements to protect our client data."

PCI-DSS Standard

The Payment Card Industry Data Security Standard, which applies to all merchants that accept credit and debit card transactions, including healthcare organizations, describes how stored credit card data must be protected. The PCI Security Standards Council, which offers education on PCI-DSS, suggests: "In general, no payment card data should ever be stored by a merchant unless it's necessary to meet the needs of the business." The council offers a detailed list of "do's" and "don'ts" for storage.

The major credit card companies created the PCI standard, which specifies several high-level security controls that all organizations handling payment card data are required to implement (See: PCI Training Gets High Marks).


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.