Settlement for breach involving 300,000

January 30, 2013 in Medical Technology

Cbr Systems, Inc., a cord blood bank based in San Bruno, Calif., on Tuesday agreed to settle Federal Trade Commission charges that it failed to protect the financial and health data of nearly 300,000 consumers.

The settlement stems from a December 2010 incident whereby unencrypted backup tapes containing consumers’ personal information, a Cbr laptop, external hard drive and USB drive were stolen from an employee’s car. 

According to the FTC complaint, the unencrypted backup tapes included, in many cases, names, Social Security numbers, dates of birth, drivers’ license numbers, credit and debit card numbers, card expiration dates, checking account numbers, addresses, email addresses, telephone number and adoption type of approximately 298,000 Cbr customers.

[See also: Stanford reports fourth HIPAA breach.]

Moreover, the complaint also alleges that the unencrypted Cbr laptop and external hard drive contained network information, including passwords and protocols, that could have permitted an intruder to access Cbr’s network, where sensitive personal health information was stored.

“The FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by Cbr,” said FTC Chairman Jon Leibowitz in a statement. “The exposure of this information has the potential to cause real harm to consumers.”    

The settlement requires Cbr to establish and maintain a comprehensive information security program and submit to security audits by independent auditors regularly for 20 years.

Cbr Systems is a provider of umbilical cord blood and umbilical cord tissue banking services. Consumers pay to preserve and store a newborn’s cord blood and cord tissue because they contain stem cells, the use of which researchers are investigating to treat some diseases and conditions.

According to an FTC statement, Cbr claimed in its privacy policy that “[w]henever CBR handles personal information, regardless of where this occurs, CBR takes steps to ensure that your information is treated securely and in accordance with the relevant Terms of Service and this Privacy Policy…”

However, FTC officials say the comapny failed to use appropriate procedures for handling customers’ personal information, making its privacy policy claim deceptive under the FTC Act. 

Be the first to like.
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Article source:

Be Sociable, Share!
Bookmark and Share

Leave a reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>