The University of Texas MD Anderson Cancer Center has begun notifying almost 30,000 patients that their personal data was stolen after someone swiped an unencrypted laptop from a physician's home on April 30. The data included patient names, medical record numbers, and treatment and research information. In about 10,000 cases, it also included Social Security numbers.
The cancer center said it waited to notify victims until it had conducted a thorough investigation following the reported theft. Officials said MD Anderson began working with outside forensics experts immediately to determine what information was on the stolen computer.
The cancer center is offering credit monitoring services for those whose Social Security numbers were compromised, and is taking steps to better secure all MD Anderson computers and the patient data held within them. Additionally, hospital officials said they will reinforce privacy policies so all employees properly handle patient data.
Last year MD Anderson treated more than 108,000 patients, including nearly 10,000 enrolled in clinical trials involving experimental treatments, the largest such program in the nation.
SECURITY NOTE: Cyberthieves intent on exploiting stolen data can do a lot of damage in 60 days, and failure to promptly alert individual victims puts them at a disadvantage in terms of monitoring their credit card and bank account usage for anomalies, for example. To address this problem, legislation pending in the U.S. and Europe would require notification as quickly as 24 hours.