Cancer Care Group leaves unencrypted server backups in car, loses data on 55,000 patients and staff

Filed Under: Data loss

Indiana-based Cancer Care Group (CCG) is the latest US healthcare provider to have its fifteen minutes of data breach infamy.

The radiation therapy company announced yesterday that it had suffered a reportable data spillage back in July.

If you're an optimist, you might report that CCG misplaced personal information for up to 55,000 individuals, apparently including both patients and staff.

But news depends on how you tell it, so if you're a pessimist, you might report instead that CCG allowed an employee to leave unencrypted server backup data - along with his laptop, it seems, or perhaps on his laptop, for all the difference that makes - unattended in his car.

Astute readers will be aware that, for reasons having to do with road safety, such as actually being able to see where you're going, cars are festooned with easily-broken glass, and thus that valuables left in cars are equally-easily pinched.

Whilst we mustn't forget that CCG is the victim of a crime here, we also have to ask, "Why would anyone, ever, leave an unencrypted laptop unattended in a car?" That's like running a public-facing blog using WordPress 1.5.2 on an unpatched Windows 2000 server.

(I exaggerate for effect, of course, but not by much. And to be fair to WordPress, I note that explicitly warns you that "none of [our pre-3.4 releases] are safe to use.")

CCG's breach hasn't yet made it to the official breach list of the U.S. Department of Health and Human Services, but it will: the department is required by the HITECH Act [*] to publicise all breaches involving 500 or more individuals.

The list makes for pessimistic reading - for example, it already contains three breaches larger than CCG's for 2012 alone. But there is a glass-half-full side for the optimists amongst us: it's a great source of material you can use for asking your healthcare providers what steps they take to look after your data.

Indeed, I urge you to make a point of asking anyone who looks after data on your behalf, whether financial, medical, electoral or just plain personal, what they do to keep your data safe.

Think of this as low-key activism of the most fundamental and important sort. By always and explicitly asking how companies handle information they collect about you, you're applying pressure which is not only lawful but entirely reasonable in order to make sure that data collectors do the right thing.

And don't accept blandishments which say nothing more than "your privacy is important to us." To companies which collect your data, protecting it is more than an importance. It's an obligation.

By the way, if they use any sort of third-party cloud services to help them collect, manage and store your data, make that that you apply your activism recursively to their cloud providers, too.

You can't outsource your accountability!


[*] HITECH Act: Health Information Technology for Economic and Clinical Health Act, passed 2009

Car with broken window and ransacked glovebox courtesy of some thieving toerag, picture of same courtesy of Shutterstock.

, , , , ,

You might like

6 Responses to Cancer Care Group leaves unencrypted server backups in car, loses data on 55,000 patients and staff

  1. Ben0xA · 1098 days ago

    As long as you have legislation that will fine health care facilities for not implementing new technology, you will have people who focus their time and resources on that instead of security awareness training to protect what they already have. People are scrambling to keep up with the ANSI 5010, ICD10, Meaningful Use Stage 2 & 3, EMR implementation, and all of the changes with those that they don't have any other resources or cash to focus on proper security training.

    HIPAA, HITECH, and other rules are so vague and open to interpretation that you get two spectrums from facilities: 1.) too strict that you can't do business and the data is just as insecure, and 2.) too lax by not understanding the rules.

    This is not a problem that will be going away any time soon unfortunately. :(

    • Paul Ducklin · 1098 days ago

      You can't really blame vagueness in the law in this case, though, can you :-)

      "Oh, look, a set of unencrypted server backups. I wonder what I should do with them? I know!! I'll pop them in my car for safe keeping."

  2. Michael · 1098 days ago

    And now they will learn the hard way, stupid lame companies with no sense of vital statistic security measures. Sorry for their patients but hope they are feeling shamed right about now. No sympathy for them at all. Learn a lesson yet Cancer Care? The biggest cancer concern was in your computer not in your patients, morons! ;) Thanks for the post! I love calling out companies who run stupid operations.

  3. InfoSec · 1098 days ago

    Why was that information on any laptop to begin with? It seems to me that someone wasn't thinking at all to begin with. The only way we allow access to any data like that is within our secure network, with remote access by use of virtual desktops and similar technologies. the data should never reside on any portable device in a readable form.

  4. Ocean Midge · 1098 days ago

    Fortunately your average theft-ex-vehicle afficionado is probably going to dump a stack of LTOs in the first garbage receptacle they come across as the LTO:Crack exchange rate is, one assumes, not favorable.
    I do agree though that I wouldn't put anything on a non-encrypted laptop that I wouldn't put on a publicly accessible website.

  5. Wack0 · 1097 days ago

    I'd expand your analogy to say that said Windows 2000 server would be without a firewall. :P

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog