Indiana Cancer Group Data Breach Affects About 55,000 People

A laptop computer bag stolen from an Indiana Cancer Group employee's vehicle compromised the data of about 55,000 patients and employees.

Cancer Care Group, an Indianapolis oncology practice that treats and manages patients using radiation therapy, has reported a data breach affecting approximately 55,000 individuals, including patients and employees.

Operating in 21 locations within Indiana, Cancer Care Group provides treatment, research, education and training in oncology.

On July 19 a laptop computer bag was stolen from an employee's locked vehicle, the oncology organization reported. The physician group announced the breach on Aug. 28.

A spokesman for Cancer Care Group declined to comment beyond information in the company's news release.

Data stored on server backup media in the laptop computer bag included patients' names, addresses, Social Security numbers, dates of birth, medical record numbers and insurance information.

The backup device also contained data on Cancer Care Group employees, such as dates of birth, Social Security numbers, beneficiary names and employment data.

The affected data was for billing purposes only, according to the Cancer Care Group.

"There is no evidence to believe that the backup media were the target of the theft or that any of the information on the media has been accessed or used for fraudulent purposes," the organization reported in a statement on its Website. "Cancer Care Group assures its patients and employees that it took immediate steps to investigate and attempt to recover the backup media."

The organization has filed a police report and notified patients and employees.

Steps the Cancer Care Group will take to secure health care data in the future include encrypting mobile storage devices, upgrading data storage equipment, and revising policies and procedures, the organization reported.

"Cancer Care Group deeply regrets that this occurred," the group stated. "We are committed to excellent care and protecting the privacy of personal information."

The organization has posted the toll-free number 866-264-1049 for further information on the breach.

Cancer Care Group's incident is the fourth-largest health care breach this year, according to Healthcare IT News.

On April 18 Emory Healthcare in Atlanta reported the loss of 10 backup disks containing data on 315,000 surgical patients. The disks were unencrypted and stored in an unlocked cabinet.

On March 30, a hacker from Eastern Europe put about 280,000 Social Security numbers for Medicaid claims at risk by hacking a Utah Department of Technology Services server. That incident involved health data for Medicaid and Children's Health Insurance Plan patients. In addition to those patients whose Social Security numbers were stolen, 500,000 others were affected in the Utah incident.

Recent health care data breaches highlight a need for more investment in security by health care organizations, according to Judy Hanover, research director at IDC Health Insights. Audits of security practices and vulnerabilities are also necessary, she said.

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule, incidents involving 500 or more people must be reported to the U.S. Department of Health and Human Services and to the news media. The 2009 HITECH law strengthened breach-reporting measures under the Health Insurance Portability and Accountability Act (HIPAA), which governs the release of protected health information.