68,767 Patients Affected by McKesson Stolen Computers
Technorati Tag: Security Breach
Date Reported:
9/7/07
Organization:
McKesson Specialty Pharmaceutical
Contractor/Consultant:
None
Victims:
Current and former patients
Number Affected:
"Thousands" 9/12/07 UPDATE: There are 68,767 Affected
Types of Data:
Name, address, prescribed medications, dosages, Social Security number, and date of birth.
Breach Description:
On July 18th, two computers were stolen from a McKesson office that contained personally identifiable data on current and former patients.
Reference URL:
http://www.informationweek.com/news/showArticle.jhtml?articleID=201804872
Report Credit:
Sharon Gaudin, InformationWeek
Response:
From the online article noted above:
"The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines. "
"At this point, we have not determined if your personal information was on either stolen computer. However, we are taking the precaution of notifying every patient whose information might have been on the computers, just to be safe."
[Comfyllama] Unfortunate that McKesson doesn't know, but good that they are trying to "be safe".
"A spokesman for McKesson did not return phone calls requesting comment, but a company representative on the McKesson hotline said "thousands" of patients were affected "
"The company representative said it's not clear if the data on the machines was encrypted."
[Comfyllama] Hmm. Not clear? Should we assume it was not?
A representative of McKesson stated that the company is offering one year of free credit monitoring to those who request it.
[Comfyllama] I wonder if they are informing victims of this? Request it either way.
"We also have taken steps to ensure this doesn't happen again by increasing and improving employee understanding and awareness of corporate security policies and procedures, policies for handling patient data, and company security processes," wrote Blake. "We deeply regret that this incident occurred."
[Comfyllama] Excellent! Employee training and awareness cannot be stressed enough in my opinion. It doesn't do much to help the current victims, but it will help prevent future ones. This is a wonderful response statement.
McKesson has set up a hotline for victims to call with questions and comments,
Commentary:
I wonder how these computers were stolen from the office and what type of physical controls were in place, i.e. locks, video cameras, etc. There is not much information available yet about this breach, but I would expect more soon. Although McKesson is not sure whether or not the computers were encrypted, it is refreshing that this is even mentioned.
Ironically, the "Privacy" link on McKesson's home page is broken:
Past Breaches:
None
Date Reported:
9/7/07
Organization:
McKesson Specialty Pharmaceutical
Contractor/Consultant:
None
Victims:
Current and former patients
Number Affected:
"Thousands" 9/12/07 UPDATE: There are 68,767 Affected
Types of Data:
Name, address, prescribed medications, dosages, Social Security number, and date of birth.
Breach Description:
On July 18th, two computers were stolen from a McKesson office that contained personally identifiable data on current and former patients.
Reference URL:
http://www.informationweek.com/news/showArticle.jhtml?articleID=201804872
Report Credit:
Sharon Gaudin, InformationWeek
Response:
From the online article noted above:
"The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines. "
"At this point, we have not determined if your personal information was on either stolen computer. However, we are taking the precaution of notifying every patient whose information might have been on the computers, just to be safe."
[Comfyllama] Unfortunate that McKesson doesn't know, but good that they are trying to "be safe".
"A spokesman for McKesson did not return phone calls requesting comment, but a company representative on the McKesson hotline said "thousands" of patients were affected "
"The company representative said it's not clear if the data on the machines was encrypted."
[Comfyllama] Hmm. Not clear? Should we assume it was not?
A representative of McKesson stated that the company is offering one year of free credit monitoring to those who request it.
[Comfyllama] I wonder if they are informing victims of this? Request it either way.
"We also have taken steps to ensure this doesn't happen again by increasing and improving employee understanding and awareness of corporate security policies and procedures, policies for handling patient data, and company security processes," wrote Blake. "We deeply regret that this incident occurred."
[Comfyllama] Excellent! Employee training and awareness cannot be stressed enough in my opinion. It doesn't do much to help the current victims, but it will help prevent future ones. This is a wonderful response statement.
McKesson has set up a hotline for victims to call with questions and comments,
Commentary:
I wonder how these computers were stolen from the office and what type of physical controls were in place, i.e. locks, video cameras, etc. There is not much information available yet about this breach, but I would expect more soon. Although McKesson is not sure whether or not the computers were encrypted, it is refreshing that this is even mentioned.
Ironically, the "Privacy" link on McKesson's home page is broken:
Past Breaches:
None
Posted by Evan Francen at 9/8/2007 1:12 AM 
Categories: Bayer, Johnson and Johnson, AstraZeneca, Pfizer, Serono, Schering Plough, Stolen Computer, IVAX, GlaxoSmithKline, Axcan Pharma, McKesson Specialty Pharmaceutical
Categories: Bayer, Johnson and Johnson, AstraZeneca, Pfizer, Serono, Schering Plough, Stolen Computer, IVAX, GlaxoSmithKline, Axcan Pharma, McKesson Specialty Pharmaceutical
Posts Atom 1.0
UPDATE: AstraZeneca "Medicine&Me PAP" patients are affected by this breach according to the New Hampshire AG Breach Notification.
Reply to this
BUT WAIT! There's more.
The number of affected persons has been named, and changed in this blog posting.
A list of affected organizations has been named (in addition to AstraZeneca which was already mentioned).
Also affected by the breach are members of:
- Axcan's CareFirst for CF/Comprehensive Care Program for CF/Rx Cost Reduction
- Bayer Patient Assistance Program and/or Indigent Patient Program
- GlaxoSmithKline Bridges to Access/Commitment to Access
- IVAX Patient Assistance Program
- Johnson & Johnson Duragesic Patient Assistance Program
- Pfizer FirstRESOURCE Program
- Schering Plough SP-Cares
- Serono Serostim Patient Assistance Program and Saizen Patient Assistance Program
Reply to this