Philadelphia Family Planning Council Data Breach Affects 70,000 Patients

The Family Planning Council in Philadelphia reported a data breach involving a flash drive theft, placing information on 70,000 patients at risk.

The nonprofit Family Planning Council in Philadelphia has reported that a USB flash drive containing information on 70,000 patients was stolen in December and has not been recovered.

The council provides funding to Philadelphia-area health care organizations offering family planning and reproductive health services such as HIV and STD screening, cancer screening and teen pregnancy prevention. It discovered the breach Dec. 28 and reported the incident to the Philadelphia Police Department.

A former Family Planning Council employee, Kelly Len Stanton, 41, was arrested Feb. 9 on charges related to the flash drive theft, Tasha Jamerson, a spokesperson for the Philadelphia District Attorney's office, told eWEEK.

Stanton was charged with burglary, theft, criminal trespass and receiving stolen property, Jamerson said. As of April 14, he's being held on bond while awaiting a trial. A pretrial conference is scheduled for April 21, Jamerson said.

Sarah Grambs, a spokesperson for the Family Planning Council, confirmed to eWEEK that Stanton's employment at the organization ended Dec. 28, the same day the breach was discovered.

Stanton was a peer counselor in the council's HIV program, Melissa Weiler Gerber, the council's executive director, told the Philadelphia Inquirer.

The theft occurred between Dec. 23 and Dec. 27, and the council delayed notifying patients and the public until April at the request of the police department and Philadelphia District Attorney's office.

The data at risk belonged to many health care providers for which the council processes data for reporting and billing purposes. The council notified these providers Jan. 13. They include Planned Parenthood Southeastern Pennsylvania and The Children's Hospital of Philadelphia.

Patients with exposed information on the flash drive had received reproductive health services between Oct. 2, 2008, and Nov. 30, 2010. Data on the flash drive included patient name, address, phone number, Social Security number and date of birth. Data on the drive had not been accessed, the council believes.

As is customary for health care companies suffering data breaches, the council is offering free credit protection and monitoring to affected individuals.

To prevent future data breaches, the council will require encryption on removable storage devices, retrain staff and increase building security.

The Family Planning Council incident is just the latest in a series of flash drive data breaches to be reported. On Feb. 23, Henry Ford Health System in Detroit notified the public of a lost flash drive containing information on 2,777 patients, and on Sept. 20, insurer AmeriHealth Mercy reported a missing flash drive that stored data on 280,000 Medicaid members.

The alarming pattern of breaches shows a real need to take preventive measures before these incidents occur, according to Liesl Schwoebel, manager of global strategic B2B marketing for Kingston Technology, a major flash drive manufacturer.

Health providers are often hesitant to implement security changes due to cost, Schwoebel told eWEEK.

The stolen flash drive at Family Planning Council was simply password-protected rather than encrypted, Schwoebel noted.

Steps companies could take to better secure data include encrypting the devices, monitoring data transfer on the drives using back-end management software and creating an audit trail.

"It's a bit intimidating for health care organizations to understand what is the right level of encryption for what they need," Schwoebel said. "There are different types of drives that offer different levels of security, and they should work with someone to analyze what's the correct level of security they need for their data and put together an overall plan to make sure that the USB drives they do provide to their customers meet the standards for data loss prevention."