The University of Texas M.D. Anderson Cancer Center, which reported in June that a laptop stolen from a doctor’s home in April held data on 30,000 patients, has reported yet another breach.
KTRK in Houston reports that an unencrypted flash drive containing protected health information was lost on an employee shuttle bus on July 13. In a statement posted today on their web site, the center writes that the drive contained “some patient information, including patient names, dates of birth, medical record numbers and diagnoses, and treatment and research information. The USB thumb drive contained no patient Social Security numbers or other financial information.”
According to KTRK, 2,200 patients were affected.
As it did in the previous breach, the center indicated that it was working to encrypt all devices. Of course, that will likely infuriate many who will reasonably ask why the center’s devices weren’t already encrypted. The risk of losing small portable devices is not exactly a newly recognized risk.
So far, HHS has never fined any entity for a breach like this, but how many breaches does an entity have to have before they incur some actual penalty for not having invested in adequate security?