The University of Texas MD Anderson Cancer Center is in the process of notifying patients after an unencrypted USB thumb drive containing some patient and research information was discovered missing from an MD Anderson researcher’s office on December 2, 2013. After learning of the incident, MD Anderson immediately began an exhaustive search for the device and conducted a thorough investigation to determine its contents. Unfortunately, the USB thumb drive has not been located.
The thumb drive was last seen on November 27, 2013. MD Anderson officials have no reason to believe the information has been or will be accessed improperly. However, as a precaution and in the interest of transparency with patients and the public, the institution began mailing letters on January 31 as part of efforts to notify 3,598 patients whose information was on the drive.
The following information was on the lost USB drive:
- Patient names
- Patient medical record numbers
- Patient diagnosis
- Treatment and research information
- Dates of birth, in a limited number of instances
The drive did not contain Social Security numbers or other financial information likely to place impacted patients at risk for identity theft.
“MD Anderson deeply regrets that this incident has occurred and we wish to apologize to our affected patients and their loved ones. We are continuously enhancing our practices and policies to protect patient data. For example, we have strengthened protections even further by providing staff a tool to encrypt any USB thumb drive by connecting it to an MD Anderson computer.”
MD Anderson has several ongoing measures in place to keep patient data secure. These measures include staff training and frequent communications about the proper use and storage of patient data. Additionally, MD Anderson computers are encrypted so that patient information is protected in the case of loss or theft. With the increasing use of portable devices, protections also are in place that include the ability to remotely “wipe” hardware-encrypted USB drives as well as smart phones and other mobile devices allowed to access MD Anderson resources.
MD Anderson also offers patients the option of placing a confidentiality flag on their medical records to ensure that no information will be released from their medical records unless a requestor provides a password. Patients who receive letters notifying them that their data was included on the lost USB Drive are being provided a 1-800 number to call if they have additional questions about the incident. Additional information can be found on the home page of the MD Anderson Web site.