Another Big Breach of PHI for MD Anderson

A lost flash drive has resulted in MD Anderson Cancer Center’s second major breach of unsecured protected health information in recent months.

A medical student at the center lost an unencrypted thumb drive on an employee shuttle bus on July 13 and notified superiors the following day, according to a MD Anderson statement. “While we have no reason to believe that the information has been or will be accessed improperly, we are alerting our patients that the drive contained some patient information, including patient names, dates of birth, medical records numbers and diagnoses, and treatment and research information. The USB thumb drive contained no patient Social Security numbers or other financial information.”

The statement did not disclose the number of affected patients and whether the center is offering paid credit and/or identity theft protection services, and a spokesperson did not respond to a request for more information. The Houston Chronicle reports about 2,200 patients were affected.

MD Anderson in its statement said the organization is “enhancing our practices regarding the use of portable devices to transport patient data and are working to encrypt these devices.” The company issued a similar pledge in late June when it announced the theft of a laptop on April 30 containing protected information on 29,201 patients, including Social Security numbers for about one-third of them. “We are taking steps to prevent this from happening in the future, including accelerating our efforts to encrypt all MD Anderson computers.”