Memorial Sloan-Kettering Cancer Center breach exposes patient data – but when?

Does anybody recognize this breach?  The information was found in Google’s cache:

Memorial Sloan-Kettering Cancer Center Information Website

Data Compromise Questions

1. What has happened?
Patient information was inadvertently included in a software update to a website used by physicians, medical researchers and their staff. Sixteen users outside of MSKCC downloaded the software with the patient data in it.

2. What type of information was possibly compromised?
The personal information included name, medical record number and diagnosis. It did not include your Social Security Number.

3. Was my information stolen? Sold?
Based on our investigation and the limited users who downloaded the application, we believe your information was not involved in any theft, or accessed in a manner deemed inappropriate.

4. Why didn’t you report the loss of the data sooner?
With any such event, it takes time to gather the relevant information, identify those impacted, and obtain the assistance services that are being offered so we can appropriately assist our affected patients. It was important to MSKCC that we identify who was and was not affected, and the extent of the potential exposure so that MSKCC didn’t unnecessarily alarm anyone. Additionally, MSKCC took immediate action to stop the problem as soon as it was discovered.

5. What is Memorial Sloan-Kettering Cancer Center doing to prevent this kind of loss from happening again?
MSKCC is undertaking a comprehensive investigation of the circumstances that led to this incident. They have taken immediate steps to correct the problem and will take additional steps necessary to prevent this problem from recurring again.


I’ve emailed the hospital twice to ask whether this is a recent breach or an older one, but have gotten no response to date.  Anyone know?

About the author: Dissent

7 comments to “Memorial Sloan-Kettering Cancer Center breach exposes patient data – but when?”

You can leave a reply or Trackback this post.
  1. Anonymous - April 6, 2010

    Is tis in NY? It was part of 911 incident then.

  2. Anonymous - April 6, 2010

    Yes, the hospital’s in New York, but I’m not sure why you think it was part of a 9/11-related breach. Are you thinking of the World Trade Center Medical Monitoring Program? Sloan-Kettering isn’t one of the sites in that program as far as I know.

    I suspect that this was a glitch in something that supports one of their own research studies.

    The page was originally at:

    • Anonymous - April 7, 2010

      Dissent- change last reply: Perhaps, I just remember that in all the confusion there was one hospital accepting wounded that had a worker stealing ids. It was not a monitoring center but a hospital.

      [At Golde’s request, I deleted another comment she had submitted].

  3. Anonymous - April 7, 2010

    I am the Director of Communications at Memorial Sloan-Kettering Cancer Center and in response to your question, those affected by this were notified in the summer of 2009, shortly after we became aware of the problem. I am not sure what email address you used but our office monitors all email to the address on our web site and we didn’t recieve your inquiry.

    • Anonymous - April 7, 2010

      Hi Christine,

      Thanks for clarifying the breach.

      The email address I used for both emails was [email protected] which is the address I got from the hospital’s web site.

      I got no response to the first one which was dated March 31, so I requested a receipt on the second one, which was emailed on April 1. The receipt for the second one came back this way on April 5:

      Not read: Second request [Fwd: Recent data security breach?]
      From: “Media Staff /Public Affairs”
      Date: Mon, April 5, 2010 20:15
      To: “[email protected]
      Priority: High

      Was that not the correct email address?

  4. Anonymous - April 7, 2010

    I have not found any information in 2009 of a breach at this facility. Was it made public?

    • Anonymous - April 7, 2010

      If it had been made public, I probably would have known about it or been able to track it down online. That’s why I was asking as to when this was.

Comments are closed.