DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Judge tentatively approves Cord Blood Registry class action lawsuit settlement

Posted on February 6, 2013 by Dissent

It’s been an interesting few weeks for those who have followed the Cord Blood Registry (CBR) data breach.

As background: back in February 2011, CBR disclosed that backup tapes with 300,000 people’s information had been stolen from an employee’s unattended vehicle in December 2010. CBR offered those affected one year of free credit monitoring and indicated that they had improved their security.  That didn’t satisfy everyone, it seems, as a potential class action lawsuit was filed (Johansson-Dohrmann v. CBR Systems, Inc.).

Then on January 28, the FTC announced that it had settled charges against CBR, which was the first anyone knew that the FTC had opened a case against CBR. The FTC had charged that CBR had not lived up to its privacy policy:

Cbr did not have reasonable policies and procedures to protect the security of information it collected and maintained. In addition, Cbr allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive, and other portable data storage devices containing personal information in a way that made the information vulnerable to theft.

The settlement included putting CBR under monitoring for 20 years and barred any misrepresentation of their privacy and security protections.

Now today, a judge gave preliminary approval to the class-action lawsuit. Thomson Reuters reports:

Under terms of the proposed settlement, reached last November, CBR will have to provide credit monitoring and identity theft insurance to each affected class member [for up to two years], as well as cash reimbursements for any losses resulting from identity theft.

Plaintiff’s lawyer Patrick Keegan estimated that the credit monitoring package was worth up to $112 million to the class members, according to court documents. The settlement also provides up to $600,000 in payment to the plaintiff’s lawyers.

I wonder how much this breach cost CBR, in total. Investigating the breach to determine who had what information on the devices and who required notification, defending against the lawsuit and the FTC, having to hire auditors, the cost of ID theft insurance and credit monitoring, and improvements to its security are not cheap, even though the majority of class members will likely not even sign up for the free credit monitoring.

And all because devices with unencrypted PII were left in an unattended vehicle.

I bet they won’t do that again.  Or at least, I hope they won’t.  The FTC cannot fine first offenders, but if there’s another incident, the FTC could seek heavy monetary penalties.

And I bet they breathed a sigh of relief that they are not a HIPAA-covered entity, or HHS/OCR would have been investigating them, too.  As it is, it is still possible that states attorney general could take action, although if we haven’t seen any such press releases by now about investigations, I tend to doubt we will.

 

Related posts:

  • FTC settles charges against Cord Blood Registry over data breach
  • Cord Blood Registry notifies 300,000 of stolen backup tapes (updated)
  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action; Also Agrees to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach
Category: Breach IncidentsBusiness SectorTheft

Post navigation

← 12 Sue North Shore University Hospital In L.I., Allege Breach Resulted in Identity Thefts
Utah senate passes bill that would require Medicaid or CHIP participants be notified that their data will be in state databases →

2 thoughts on “Judge tentatively approves Cord Blood Registry class action lawsuit settlement”

  1. Alan Pritchard says:
    March 4, 2013 at 4:57 pm

    If this happen in 2010 why am I just getting a card in the mail today 3/4/13 wow

    1. admin says:
      March 5, 2013 at 5:19 pm

      What card did you get today and from whom? CBR notified affected individuals of the breach by mail on February 14, 2011. Did you get that notification back then?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Breaches have consequences (sometimes)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.