Stem cell collector settles with FTC after breach

Share this article:

A California blood and tissue bank has agreed to settle Federal Trade Commission (FTC) charges stemming from a breach that affected nearly 300,000 consumers.

The FTC on Monday announced the settlement, which requires Cbr Systems to create and maintain a security program and, for the next 20 years, undergo independent security audits every other year. Cbr Systems will also be barred from misrepresenting its privacy and security practices.

The FTC alleged that Cbr, which collects and stores umbilical cord blood and tissue to be used for stem cell research and potential disease treatment, “misrepresented that it maintained reasonable and appropriate practices to protects consumers' personal information from unauthorized access,” an FTC analysis of the consent agreement said.

In December 2010, four backup tapes, a laptop, external hard drive and USB device containing unencrypted data were stolen from a Cbr employee's vehicle. Data on the devices included names, birth dates, Social Security numbers, driver's license numbers, checking account numbers, credit and debit card numbers, and other sensitive information of approximately 298,000 consumers.

The unencrypted data on the stolen laptop and external hard drive both contained enterprise network information, including passwords and protocols, which an attacker could have used to gain access to Cbr's network, the FTC said.

Since May 2011, the FTC has brought 32 legal actions against organizations that  the agency contends misled consumers about the security of their sensitive information or violated their privacy rights.

A Cbr spokesperson could not immediately be reached for comment on the settlement.

UPDATE: A Cbr spokeswoman told SCMagazine.com on Tuesday that none of the data on the stolen devices was used fraudulently. She also said unencrypted data on the devices did not include health information.

"The FTC has not alleged that any company data from that [incident] has been improperly accessed or used," she said.

[An earlier version of this story incorrectly stated that medical health data of donors, and the credit and debit card information of donors' friends and family were exposed in the breach].

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.