Moffitt Cancer Center in Tampa, Florida revealed this month that a briefcase of personal information for more than 4,000 cancer patients was stolen from one of its doctors' vehicle.
The briefcase, which was stolen on July 2, contained two personal, unencrypted USB storage devices with the information of 4,056 patients on them and printouts of clinical schedules. The data in question included patient names, dates of birth, medical record numbers and some information on what kinds of medical treatments patients were receiving. It did not include patients’ social security numbers, including partial numbers, or financial information, according to Moffitt spokesperson Patty Kim.
"Moffitt prioritizes the safeguarding of patient information and has very robust data security policies and procedures," she told HCB News. "Moffitt is taking this opportunity to review the use of all USB devices at Moffitt and to enhance our auto-encryption policies. The cancer center has no reason to believe the patient information has been used for fraudulent purposes, as no patient Social Security numbers or financial information was involved. Moffitt conducted a thorough investigation and notified patients as soon as possible."
Patients potentially affected are those who received care through the blood and marrow transplant department. Moffitt officials said they learned of the theft on July 4 and began sending out letters to notify patients on September 2.
When questioned why it took nearly two months to notify patients, Moffitt's Patty Kim said it “conducted a thorough investigation which involved an intensive review of the information known to be contained on the drive” and that “patients were notified as soon as possible," " target="blank">reported The Tampa Bay Times
The physician whose car was robbed has not been named, and it was not disclosed if he or she is facing any disciplinary action, reported The Tampa Bay Times.
The U.S. Department of Health and Human Services Office for Civil Rights is also investigating the matter. Moffitt officials are reviewing the use of USB storage devices and enhancing the facility’s auto-encryption policies but wrote in a notice posted to its website that there was “no indication that the information was viewed or misused” due to there being no social security numbers of financial information involved in the breach.
A cybersecurity expert, however, told The Tampa Bay Times that the information stolen could still be used to steal a person’s identity.
“About 80 to 85 percent of the information has already been revealed,” Guillermo Francia III, a faculty scholar and professor at the University of West Florida’s Center for Cybersecurity, told the Florida paper. “They might be able to finish out the last missing piece of the social security number. This is a scary thing.”
He adds that health information should always be encrypted, especially if it’s outside a health facility at any point. “Why they had to wait that long, I don’t understand," Francia said.