Cancer Care Group leaves unencrypted server backups in car, loses data on 55,000 patients and staff

Indiana-based Cancer Care Group (CCG) is the latest US healthcare provider to have its fifteen minutes of data breach infamy.

The radiation therapy company announced yesterday that it had suffered a reportable data spillage back in July.

If you’re an optimist, you might report that CCG misplaced personal information for up to 55,000 individuals, apparently including both patients and staff.

But news depends on how you tell it, so if you’re a pessimist, you might report instead that CCG allowed an employee to leave unencrypted server backup data – along with his laptop, it seems, or perhaps on his laptop, for all the difference that makes – unattended in his car.

Astute readers will be aware that, for reasons having to do with road safety, such as actually being able to see where you’re going, cars are festooned with easily-broken glass, and thus that valuables left in cars are equally-easily pinched.

Whilst we mustn’t forget that CCG is the victim of a crime here, we also have to ask, “Why would anyone, ever, leave an unencrypted laptop unattended in a car?” That’s like running a public-facing blog using WordPress 1.5.2 on an unpatched Windows 2000 server.

(I exaggerate for effect, of course, but not by much. And to be fair to WordPress, I note that explicitly warns you that “none of [our pre-3.4 releases] are safe to use.”)

CCG’s breach hasn’t yet made it to the official breach list of the U.S. Department of Health and Human Services, but it will: the department is required by the HITECH Act [*] to publicise all breaches involving 500 or more individuals.

The list makes for pessimistic reading – for example, it already contains three breaches larger than CCG’s for 2012 alone. But there is a glass-half-full side for the optimists amongst us: it’s a great source of material you can use for asking your healthcare providers what steps they take to look after your data.

Indeed, I urge you to make a point of asking anyone who looks after data on your behalf, whether financial, medical, electoral or just plain personal, what they do to keep your data safe.

Think of this as low-key activism of the most fundamental and important sort. By always and explicitly asking how companies handle information they collect about you, you’re applying pressure which is not only lawful but entirely reasonable in order to make sure that data collectors do the right thing.

And don’t accept blandishments which say nothing more than “your privacy is important to us.” To companies which collect your data, protecting it is more than an importance. It’s an obligation.

By the way, if they use any sort of third-party cloud services to help them collect, manage and store your data, make that that you apply your activism recursively to their cloud providers, too.

You can’t outsource your accountability!

[*] HITECH Act: Health Information Technology for Economic and Clinical Health Act, passed 2009

Car with broken window and ransacked glovebox courtesy of some thieving toerag, picture of same courtesy of Shutterstock.