I first became aware of the following breach from DataLossDB.org. It was reported to them by one of those affected who also reported it on ScamSafe:
ScamSafe appears to be the first to report a serious data breach at Cord Blood Registry (www.cordblood.com). No mention has been found of this breach in the news or the Data Loss database.
The author received a notification letter as a customer of CBR dated February 14 2011.
A CBR computer and data backup tapes were stolen from an employee’s locked automobile. The stolen tapes contained customer names, Social Security numbers, driver’s licenses and/or credit card numbers.
Read more on ScamSafe.
The breach notification letter was uploaded to DataLossDB.org
I don’t know what other correspondence CBR sent those affected but their Feb. 14 letter does not include any description at all of what happened or what types of information were involved. Hopefully, such information was in the FAQ they sent which was not uploaded. The police report indicates that the theft occurred in San Francisco on December 13, 2010. I cannot find any statement on CBR’s web site at this time.
I contacted CBR to request additional details. A corporate spokesperson sent me the following statement:
As a company we are doing everything we can to help make customers feel secure after being victims ourselves of a crime. Notifications went out to approximately 300,000 people. The tapes may have contained personal client data. A computer and other property were also stolen at the same time, and we
do not believe these tapes were the target of the theft. CBR promptly notified law enforcement of the incident and we brought in computer security experts to evaluate potential risks. Our experts have advised us there is no indication at this time that any of the personal data has been accessed or misused. In order to provide clients with additional protection and peace of mind, we have arranged for clients to sign up for a one-year credit protection program at no charge.
According to the spokesperson’s statement, CBR is not a HIPAA-covered entity and the breach did not involve any health information. The spokesperson did not directly respond to an inquiry asking whether cvv codes were also stored on the backup tapes or computer with credit card numbers, but noted that the type of information was different for different individuals.
In response to the incident, CBR has strengthened its security:
We have taken extra steps on behalf of our customers in providing the credit monitoring free of charge. CBR has also strengthened and tightened our data security procedures. We hired security experts and implemented a number of improvements to protect our client data. The company continues to monitor these processes but will not share any details of these changes in order to preserve the integrity of the security mechanisms. The data on the tapes was not encrypted. We recognize that the loss of unencrypted data poses a risk, and that’s why we sent out the notices to our customers.
Cross-posted from PHIprivacy.net
Update 3-9-11: CBR’s notification to the New Hampshire Attorney General’s Office is available on that site.