268,000 donors exposed through stolen Memorial Blood Centers laptop
Technorati Tag: Security Breach
Date Reported:
12/5/07
Organization:
Memorial Blood Centers*
*Memorial Blood Centers is a nationally known, locally operated nonprofit community blood center that has supplied blood and blood components to area hospitals for nearly 60 years. Memorial Blood Center operates 10 donor centers at nine Minnesota sites and one in Superior, Wisconsin and conducts more than 125 blood drives monthly.
Contractor/Consultant/Branch:
None
Victims:
Blood donors
Number Affected:
About 268,000
Types of Data:
Name and Social Security number.
Breach Description:
A laptop was stolen from the Memorial Blood Centers on the morning of November 28th, 2007 while preparations were being made for a blood drive in downtown Minneapolis, Minnesota. The laptop contained names and Social Security numbers of 268,000 blood donors and appears to have not been encrypted.
Reference URL:
Press Release on the Memorial Blood Centers Press Release
Report Credit:
Memorial Blood Centers
Response:
From the official press release cited above:
Memorial Blood Centers reported today that it has begun notifying blood donors of the theft of a laptop computer holding donor information.
About 268,000 donor records on this laptop computer contain a donor name in combination with the donor’s social security number.
[Comfyllama] Why is a Social Security number required to donate blood?!?! Crazy.
The laptop computer was stolen on November 28, 2007 in downtown Minneapolis during early morning preparations for a blood drive.
The theft was captured on building security cameras. The Minneapolis Police Department was notified and Memorial Blood Centers is working with law enforcement authorities to recover the laptop computer.
Access to the donor information on the laptop is protected by multiple levels of passwords and requires the use of other technologies to prevent unauthorized use. The donor records do not contain medical information.
[Comfyllama] Multiple levels of passwords means little more than a nuisance to anyone with even minimal computer skill. If this was a shared laptop (not uncommon in this situation), then the chance of the password(s) being written down are increased. I am curious what "other technologies" means? Right now, it means nothing to me.
“We apologize for any anxiety this incident may cause for our donors,” said Don Berglund, Chief Executive Officer of Memorial Blood Centers. “This appears to have been a random crime. We believe the measures securing access to the donor records protect against their inappropriate use. We also immediately implemented additional measures to further protect against unauthorized access to donor data.”
[Comfyllama] On the one hand, I am always impressed when a CEO comments about a breach of security because it shows recognition of the fact that "the buck stops" with him/her. On the other hand, the comment "We believe the measures securing access to the donor records protect against their inappropriate use" shows a level of naiveness (assuming no encryption).
Memorial Blood Centers has begun notifying the affected donors whose names and Social Security numbers were on the stolen computer. Notified individuals are being encouraged to monitor their financial accounts as a precaution.
A special hotline has been established for donors who may have further questions about this theft. Donors with questions can reach the hotline by calling .
Persons with any knowledge of the theft are asked to call the Minneapolis Police Tipline at (612) 692-TIPS.
Commentary:
This is a serious breach that needs further explanation. Why on earth does the Memorial Blood Centers need to collect Social Security numbers as part of their blood collection process? I assume that they use Social Security numbers as identifiers, which everyone should know is a "no-no" unless its require by law. I'm no lawyer, so is it required by law?
Let's say for a second that Memorial Blood Centers is required by law to collect and store Social Security numbers as part of the donation process. This is the year 2007, and we should be encrypting confidential data at rest. There should be no more excuses.
Let's say for a second second that this information was protected with encryption. Then state this in the press release.
Past Breaches:
Unknown
Date Reported:12/5/07
Organization:
Memorial Blood Centers*
*Memorial Blood Centers is a nationally known, locally operated nonprofit community blood center that has supplied blood and blood components to area hospitals for nearly 60 years. Memorial Blood Center operates 10 donor centers at nine Minnesota sites and one in Superior, Wisconsin and conducts more than 125 blood drives monthly.
Contractor/Consultant/Branch:
None
Victims:
Blood donors
Number Affected:
About 268,000
Types of Data:
Name and Social Security number.
Breach Description:
A laptop was stolen from the Memorial Blood Centers on the morning of November 28th, 2007 while preparations were being made for a blood drive in downtown Minneapolis, Minnesota. The laptop contained names and Social Security numbers of 268,000 blood donors and appears to have not been encrypted.
Reference URL:
Press Release on the Memorial Blood Centers Press Release
Report Credit:
Memorial Blood Centers
Response:
From the official press release cited above:
Memorial Blood Centers reported today that it has begun notifying blood donors of the theft of a laptop computer holding donor information.
About 268,000 donor records on this laptop computer contain a donor name in combination with the donor’s social security number.
[Comfyllama] Why is a Social Security number required to donate blood?!?! Crazy.
The laptop computer was stolen on November 28, 2007 in downtown Minneapolis during early morning preparations for a blood drive.
The theft was captured on building security cameras. The Minneapolis Police Department was notified and Memorial Blood Centers is working with law enforcement authorities to recover the laptop computer.
Access to the donor information on the laptop is protected by multiple levels of passwords and requires the use of other technologies to prevent unauthorized use. The donor records do not contain medical information.
[Comfyllama] Multiple levels of passwords means little more than a nuisance to anyone with even minimal computer skill. If this was a shared laptop (not uncommon in this situation), then the chance of the password(s) being written down are increased. I am curious what "other technologies" means? Right now, it means nothing to me.
“We apologize for any anxiety this incident may cause for our donors,” said Don Berglund, Chief Executive Officer of Memorial Blood Centers. “This appears to have been a random crime. We believe the measures securing access to the donor records protect against their inappropriate use. We also immediately implemented additional measures to further protect against unauthorized access to donor data.”
[Comfyllama] On the one hand, I am always impressed when a CEO comments about a breach of security because it shows recognition of the fact that "the buck stops" with him/her. On the other hand, the comment "We believe the measures securing access to the donor records protect against their inappropriate use" shows a level of naiveness (assuming no encryption).
Memorial Blood Centers has begun notifying the affected donors whose names and Social Security numbers were on the stolen computer. Notified individuals are being encouraged to monitor their financial accounts as a precaution.
A special hotline has been established for donors who may have further questions about this theft. Donors with questions can reach the hotline by calling .
Persons with any knowledge of the theft are asked to call the Minneapolis Police Tipline at (612) 692-TIPS.
Commentary:
This is a serious breach that needs further explanation. Why on earth does the Memorial Blood Centers need to collect Social Security numbers as part of their blood collection process? I assume that they use Social Security numbers as identifiers, which everyone should know is a "no-no" unless its require by law. I'm no lawyer, so is it required by law?
Let's say for a second that Memorial Blood Centers is required by law to collect and store Social Security numbers as part of the donation process. This is the year 2007, and we should be encrypting confidential data at rest. There should be no more excuses.
Let's say for a second second that this information was protected with encryption. Then state this in the press release.
Past Breaches:
Unknown
Posts Atom 1.0
Comments