I first became aware of the following breach from DataLossDB.org. It was reported to them by one of those affected who also reported it on ScamSafe:
ScamSafe appears to be the first to report a serious data breach at Cord Blood Registry (www.cordblood.com). No mention has been found of this breach in the news or the Data Loss database.
The author received a notification letter as a customer of CBR dated February 14 2011.
A CBR computer and data backup tapes were stolen from an employee’s locked automobile. The stolen tapes contained customer names, Social Security numbers, driver’s licenses and/or credit card numbers.
Read more on ScamSafe.
The breach notification letter was uploaded to DataLossDB.org
I don’t know what other correspondence CBR sent those affected but their Feb. 14 letter does not include any description at all of what happened or what types of information were involved. Hopefully, such information was in the FAQ they sent which was not uploaded. The police report indicates that the theft occurred in San Francisco on December 13, 2010. I cannot find any statement on CBR’s web site at this time.
I contacted CBR to request additional details. A corporate spokesperson sent me the following statement:
As a company we are doing everything we can to help make customers feel secure after being victims ourselves of a crime. Notifications went out to approximately 300,000 people. The tapes may have contained personal client data. A computer and other property were also stolen at the same time, and we
do not believe these tapes were the target of the theft. CBR promptly notified law enforcement of the incident and we brought in computer security experts to evaluate potential risks. Our experts have advised us there is no indication at this time that any of the personal data has been accessed or misused. In order to provide clients with additional protection and peace of mind, we have arranged for clients to sign up for a one-year credit protection program at no charge.
According to the spokesperson’s statement, CBR is not a HIPAA-covered entity and the breach did not involve any health information. The spokesperson did not directly respond to an inquiry asking whether cvv codes were also stored on the backup tapes or computer with credit card numbers, but noted that the type of information was different for different individuals.
In response to the incident, CBR has strengthened its security:
We have taken extra steps on behalf of our customers in providing the credit monitoring free of charge. CBR has also strengthened and tightened our data security procedures. We hired security experts and implemented a number of improvements to protect our client data. The company continues to monitor these processes but will not share any details of these changes in order to preserve the integrity of the security mechanisms. The data on the tapes was not encrypted. We recognize that the loss of unencrypted data poses a risk, and that’s why we sent out the notices to our customers.
Cross-posted from PHIprivacy.net
Update 3-9-11: CBR’s notification to the New Hampshire Attorney General’s Office is available on that site.
Interesting. Not that I’m doubting what the spokesperson said, but:
1. According to HHS.gov site, names and SSNs *are* protected health information (http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html, “What Information is Protected”)
2. If a non-covered entity, why do they need to engage in “efforts to ensure strict compliance with HIPAA regulations?” (http://www.cordblood.com/cord_blood_news/media/press_releases/call_miner_tech_integral_cbr.asp). Granted, since it’s the only mention of HIPAA in their entire site, it could be a mistake by a overzealous PR department type.
I did find that a competitor and public company (Cryo Cell) has a 10-K filing noting that:
“The Company is not subject to HIPAA because the Company does not engage in certain electronic transactions related to the reimbursement of healthcare providers and because blood and tissue procurement and banking activities are exempt. However, the healthcare providers that collect umbilical cord blood for the Company’s customers are subject to HIPAA. The identifiable information shared is only what is permitted by HIPAA. In 2009, a portion of the American Recovery and Reinvestment Act of 2009 modified HIPAA under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). While the Company is still not subject to HIPAA for the reasons stated above the Company may incur material expenses associated with compliance efforts. In addition, compliance may require management to spend substantial time and effort on compliance measures. If the Company fails to comply with HIPAA, it could suffer criminal and civil penalties. The civil penalties could include monetary penalties ranging from $100 per violation to $1.5 million depending on the level of violation.” (http://www.faqs.org/sec-filings/100301/CRYO-CELL-INTERNATIONAL-INC_10-K/)
Very confusing.
Thanks so much for your thoughtful comment. I share some of your confusion, but names and SSNs are only “protected health information” if they are in the hands of HIPAA-covered entity. So if they’re not HIPAA-covered, it’s not PHI and we should view the names and SSNs as we do with any business.