M.D. Anderson Cancer Center Reports Possible Health Data Breach

EVENTS

MAY

West Coast Summit on Using Health Data To Boost Care

San Francisco

MAY

Webinar on Effects of Reform on Health Systems

Online

MAY

Meeting of Calif. Mental Health Oversight Panel

Sacramento

View All Events

FROM THE FOUNDATION

End-of-Life Choices

Trends in end-of-life care show that not only does the care given vary widely from region to region and hospital to hospital, but also patients often don't get the care they prefer. What can be done?

Care Management Puzzle

Chronic diseases and the cost of care are rising. Are disease management programs improving outcomes for patients with complex, chronic conditions?

No Middleman

Under the "direct primary care" model, patients pay a monthly fee for basic medical services. Learn about the history and current landscape of physician practices offering this arrangement.

Friday, June 29, 2012

M.D. Anderson Cancer Center Reports Possible Health Data Breach

On Thursday, the University of Texas M.D. Anderson Cancer Center began notifying patients that an unencrypted laptop computer containing patient data was stolen in April, the Houston Business Journal reports.

Breach Details

Dan Fontaine -- M.D. Anderson senior vice president for business affairs -- said that the laptop was stolen from a physician's home on April 30.

He said it contained data on nearly 30,000 patients (Pulsinelli, Houston Business Journal, 6/28).

According to an M.D. Anderson release, data on the computer included:

Medical record numbers;
Patient names;
Social Security numbers; and
Treatment and research information (LaFave Grace, Modern Healthcare, 6/28).

Fontaine said that the data were not consistent among all patients (Houston Business Journal, 6/28).

He said, "We have no reason to believe that the computer was stolen for the information it contained" (Berger, Houston Chronicle, 6/28).

Response From Center

A spokesperson for the center said notification letters began going out Thursday to potentially affected patients.

In addition, M.D. Anderson said that a criminal investigation is ongoing and that it is working with law enforcement officials to recover the laptop (Modern Healthcare, 6/28).

Fontaine said M.D. Anderson is offering no-cost credit monitoring services to patients whose Social Security numbers were on the laptop.

Meanwhile, M.D. Anderson said it has boosted efforts to encrypt its devices (Houston Business Journal, 6/28).

1
07/01/2012
Kel Mohror

No mention was made of the data being encrypted or non-encrypted. Any PHI that leaves the clinic, hospital, or other organization MUST be encrypted to make the PHI meaningless to a thief.

Anderson's ISP (Information Security Policy) is lax and should be completely overhauled to be HIPAA-compliant. With increasing numbers of laptop computers and other mobile devices being used by providers because of convenience, health care organizations are also increasing their risks for allowing PHI breaches and being fined by HHS Office of Civil Rights.

Dozens of online resources on preventing breaches can be easily found, such as "13 Security Tips to Combat Mobile Device Threats to Healthcare."

Readers are invited to send feedback to: chl@chcf.org

View All Comments (1)
Print
Email
Share
- Facebook
- Twitter
- Google+
- LinkedIn
- Digg

COMMENTS (1)

"No mention was made of the data being encrypted or non-encrypted. Any PHI that leaves the clinic, hospital, or other organization MUST be encrypted to make the PHI meaningless to a thief.

Anderson's ISP (Information Security Policy) is lax and sh..."

- Kel Mohror