DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Judge tentatively approves Cord Blood Registry class action lawsuit settlement

Posted on February 6, 2013 by Dissent

It’s been an interesting few weeks for those who have followed the Cord Blood Registry (CBR) data breach.

As background: back in February 2011, CBR disclosed that backup tapes with 300,000 people’s information had been stolen from an employee’s unattended vehicle in December 2010. CBR offered those affected one year of free credit monitoring and indicated that they had improved their security.  That didn’t satisfy everyone, it seems, as a potential class action lawsuit was filed (Johansson-Dohrmann v. CBR Systems, Inc.).

Then on January 28, the FTC announced that it had settled charges against CBR, which was the first anyone knew that the FTC had opened a case against CBR. The FTC had charged that CBR had not lived up to its privacy policy:

Cbr did not have reasonable policies and procedures to protect the security of information it collected and maintained. In addition, Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.

The settlement included putting CBR under monitoring for 20 years and barred any misrepresentation of their privacy and security protections.

Now today, a judge gave preliminary approval to the class-action lawsuit. Thomson Reuters reports:

Under terms of the proposed settlement, reached last November, CBR will have to provide credit monitoring and identity theft insurance to each affected class member [for up to two years], as well as cash reimbursements for any losses resulting from identity theft.

Plaintiff’s lawyer Patrick Keegan estimated that the credit monitoring package was worth up to $112 million to the class members, according to court documents. The settlement also provides up to $600,000 in payment to the plaintiff’s lawyers.

I wonder how much this breach cost CBR, in total. Investigating the breach to determine who had what information on the devices and who required notification, defending against the lawsuit and the FTC, having to hire auditors, the cost of ID theft insurance and credit monitoring, and improvements to its security are not cheap, even though the majority of class members will likely not even sign up for the free credit monitoring.

And all because devices with unencrypted PII were left in an unattended vehicle.

I bet they won’t do that again.  Or at least, I hope they won’t.  The FTC cannot fine first offenders, but if there’s another incident, the FTC could seek heavy monetary penalties.

And I bet they breathed a sigh of relief that they are not a HIPAA-covered entity, or HHS/OCR would have been investigating them, too.  As it is, it is still possible that states attorney general could take action, although if we haven’t seen any such press releases by now about investigations, I tend to doubt we will.

 

Category: Breach IncidentsBusiness SectorTheft

Post navigation

← 12 Sue North Shore University Hospital In L.I., Allege Breach Resulted in Identity Thefts
Utah senate passes bill that would require Medicaid or CHIP participants be notified that their data will be in state databases →

2 thoughts on “Judge tentatively approves Cord Blood Registry class action lawsuit settlement”

  1. Alan Pritchard says:
    March 4, 2013 at 4:57 pm

    If this happen in 2010 why am I just getting a card in the mail today 3/4/13 wow

    1. admin says:
      March 5, 2013 at 5:19 pm

      What card did you get today and from whom? CBR notified affected individuals of the breach by mail on February 14, 2011. Did you get that notification back then?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.