Settlement for breach involving 300,000
January 30, 2013 in Medical Technology
Cbr Systems, Inc., a cord blood bank based in San Bruno, Calif., on Tuesday agreed to settle Federal Trade Commission charges that it failed to protect the financial and health data of nearly 300,000 consumers.
The settlement stems from a December 2010 incident whereby unencrypted backup tapes containing consumers’ personal information, a Cbr laptop, external hard drive and USB drive were stolen from an employee’s car.
According to the FTC complaint, the unencrypted backup tapes included, in many cases, names, Social Security numbers, dates of birth, drivers’ license numbers, credit and debit card numbers, card expiration dates, checking account numbers, addresses, email addresses, telephone number and adoption type of approximately 298,000 Cbr customers.
[See also: Stanford reports fourth HIPAA breach.]
Moreover, the complaint also alleges that the unencrypted Cbr laptop and external hard drive contained network information, including passwords and protocols, that could have permitted an intruder to access Cbr’s network, where sensitive personal health information was stored.
“The FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by Cbr,” said FTC Chairman Jon Leibowitz in a statement. “The exposure of this information has the potential to cause real harm to consumers.”
The settlement requires Cbr to establish and maintain a comprehensive information security program and submit to security audits by independent auditors regularly for 20 years.
Cbr Systems is a provider of umbilical cord blood and umbilical cord tissue banking services. Consumers pay to preserve and store a newborn’s cord blood and cord tissue because they contain stem cells, the use of which researchers are investigating to treat some diseases and conditions.