MD Anderson sustains second security breach this year

An employee of the University of Texas MD Anderson Cancer Center lost a thumb drive, potentially exposing unencrypted medical and personal information of patients.

How many victims? About 2,200 patients.

What type of personal information? Diagnosis, treatment and research information, as well as names, dates of birth and medical record numbers of patients.

What happened? On July 13, a trainee at the center lost an unencrypted USB drive on an MD Anderson employee shuttle bus.

What was the response? MD Anderson conducted an investigation and search for the lost thumb drive, and began mailing letters to patients affected on Aug. 17. The hospital is also working to encrypt their portable devices used to transport patient data, and to further enforce privacy policies through educational programs for employees.

Details: The incident is the second time this year that patient information at MD Anderson has been compromised. Another laptop was stolen on April 30, this time from a MD Anderson physician's home. That device contained the unencrypted data for more than 29,000 patients.

And in 2006, the data on 4,000 patients was potentially exposed when a laptop containing encrypted insurance claims records was stolen from a PricewaterhouseCoopers (PwC) employee's house.

In the latest incident, MD Anderson patients' Social Security numbers and financial information were not contained on the thumb drive, according to release posted by the center.

Source: ModernHealthcare.com, “MD Anderson loses thumb drive containing patient data,” Aug. 19, 2012.

[An earlier version of this story incorrectly stated that the PwC laptop was lost in 2012, when it actually was 2006. The previous headline also was incorrect.]