Two-month delay in notifying patients after cancer center breach

An unencrypted laptop containing patient data was stolen April 30 from the home of a doctor working for The University of Texas M.D. Anderson Cancer Center, but those whose data may have been compromised were not notified until June 28.

How many victims? Nearly 30,000 patients.

What type of personal information? Names, medical record numbers, and treatment and/or research information. Social Security numbers (SSN) were present for a third of patients.

What happened? One day after the unencrypted laptop disappeared from the physician's home on April 30, hospital officials contracted forensic experts to determine what exactly the device contained. Although the investigation determined that there was information on around 30,000 patients, the facility opted to not notify patients until it had a “high degree of certainty” regarding the information because it didn't want "to create unnecessary anxiety."

What's being done: While the hospital said it had been encrypting devices in the past, it will now intensify that program. It also is partnering with law enforcement to find the missing laptop. Those patients whose SSN was breached are eligible for a credit monitoring service paid for by Anderson.

Quote: “We take maintaining and monitoring our patients' health information very seriously, and this is a terrible misfortune,” Dan Fontaine, senior vice president for business affairs at Anderson, said.

Source: bizjournals.com/houston, Houston Business Journal, "M.D. Anderson Cancer Center notifies patients of stolen laptop with personal information," June 28, 2012