Donor personal information was on Lifeblood stolen laptop
Technorati Tag: Security Breach
Date Reported:
2/13/08
Organization:
Lifeblood
Contractor/Consultant/Branch:
None
Victims:
Blood donors
Number Affected:
320,000
Types of Data:
"names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers"
Breach Description:
Two laptop computers are lost and presumed stolen from a storage room at the Lifeblood office building. The laptops contained sensitive and personal information belonging to blood donors.
Reference URL:
Lifeblood Press Release
Commercialappeal.com story
WREG Memphis Channel 3 News
UPDATED 2/25/08: Lawsuit filed by attorney Charles Curbo on behalf of donor Robert Saino seeking class-action status and monetary damages
[Evan] Read the comments posted with this article. Mr. Saino is not getting any "love" from the readers. If Mr. Curbo, Mr. Saino, et. al. win this lawsuit, it could cost millions of dollars to Lifeblood. Mr. Curbo would take his LARGE chunk of the proceeds and then what? Lawyer gets rich off the little guy.
Report Credit:
Lifeblood
Response:
From the online sources cited above:
Two laptop computers are missing from Lifeblood’s possession and presumed to be stolen.
Someone got inside a storage room at the Lifeblood building on Madison and took the computers.
The dual-password protected laptops were used on mobile blood collection drives, and each included information about Lifeblood’s blood donors, including names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers.
[Evan] I have to say, "dual-password protected" sounds very impressive and very secure, but the I should follow-up and say IT'S NOT. I am guessing that one password is for the operating system, which takes less than five minutes to bypass/change and I am also guessing that there is (was) a password to access the database or the program that opens the database. The second password probably isn't that hard to crack/bypass either.
The organization is notifying all of the approximately 320,000 affected individuals about the situation and encouraging them to place fraud alerts on their credit reports in the unlikely event that an unauthorized person gained access to the data on the computers.
[Evan] What a hassle for 320,000 people.
Lifeblood started sending out letters to donors this week, notifying them about what happened.
Based on the level of password security and the intricacies of the database structure, Lifeblood believes that is extremely unlikely that an individual who is not specifically trained to use the laptop and who does not have a valid Lifeblood ID and password could access the information contained on it.
[Evan] If this statement weren't so sad, it would be funny. I could stretch and maybe agree with "unlikely", but I would certainly not go as far as to say "extremely unlikely". It really is easier than most people think.
"Our hope was we'd be able to locate the devices and with that we'd be able to find whether the database had been accessed or not," said Dr. Edward Scott of Lifeblood.
Since the discovery Lifeblood has implemented additional security measures to protect against future theft of property or donor information. These measures include more restrictive access to and continuous closed circuit monitoring of the areas housing the laptops, installation of software to allow remote tracking and erasure of the hard drives on laptops used on mobile drives, and additional programming to prevent full Social Security numbers from being downloaded to mobile laptops.
[Evan] WHERE IS ENCRYPTION? Remote tracking and erasure provides some protection, but it isn't very hard to disable/bypass either to anyone with skill. Nobody breaks strong encryption with sound key management, no matter how skilled they may be. Why does a donor have to supply a Social Security number to donate blood in the first place? What does my blood have to do with my Social Security benefits?
He says a private investigator's been working this case. But with no solid leads, they've now teamed up with Memphis Police.
"We're concerned it may be a former employee. Or someone else who had access to building at the time," said Dr. Scott.
[Evan] Someone did have access or the laptops wouldn't be stolen.
The worry now though is that this breach will discourage people from donating.
"Blood is always going to be needed in the community, there's no substitute for that," said Dr. Scott.
[Evan] This is by far the most intelligent remark of any I have read about this breach. PEOPLE NEED BLOOD AND BLOOD SAVES LIVES. At the end of the day, I would trade my Social Security number to save someone's life.
Commentary:
We have now reported two blood centers that each stored confidential personal information on laptops (without encryption) and had them stolen. The other was Memorial Blood Centers in Minnesota. I don't understand why blood centers need my Social Security number in order for them to take my blood. I assume they use it as a personal identifier. I would much prefer that they create an identifier for me that cannot be used against me later.
I really appreciate all the work that blood centers do for the communities they serve, but they really don't serve the victims well when they don't take the time to properly secure the information they collect.
I cannot think of a good alternative to laptop encryption. Why won't Lifeblood encrypt confidential data at rest?
Past Breaches:
Unknown
Date Reported:2/13/08
Organization:
Lifeblood
Contractor/Consultant/Branch:
None
Victims:
Blood donors
Number Affected:
320,000
Types of Data:
"names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers"
Breach Description:
Two laptop computers are lost and presumed stolen from a storage room at the Lifeblood office building. The laptops contained sensitive and personal information belonging to blood donors.
Reference URL:
Lifeblood Press Release
Commercialappeal.com story
WREG Memphis Channel 3 News
UPDATED 2/25/08: Lawsuit filed by attorney Charles Curbo on behalf of donor Robert Saino seeking class-action status and monetary damages
[Evan] Read the comments posted with this article. Mr. Saino is not getting any "love" from the readers. If Mr. Curbo, Mr. Saino, et. al. win this lawsuit, it could cost millions of dollars to Lifeblood. Mr. Curbo would take his LARGE chunk of the proceeds and then what? Lawyer gets rich off the little guy.
Report Credit:
Lifeblood
Response:
From the online sources cited above:
Two laptop computers are missing from Lifeblood’s possession and presumed to be stolen.
Someone got inside a storage room at the Lifeblood building on Madison and took the computers.
The dual-password protected laptops were used on mobile blood collection drives, and each included information about Lifeblood’s blood donors, including names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers.
[Evan] I have to say, "dual-password protected" sounds very impressive and very secure, but the I should follow-up and say IT'S NOT. I am guessing that one password is for the operating system, which takes less than five minutes to bypass/change and I am also guessing that there is (was) a password to access the database or the program that opens the database. The second password probably isn't that hard to crack/bypass either.
The organization is notifying all of the approximately 320,000 affected individuals about the situation and encouraging them to place fraud alerts on their credit reports in the unlikely event that an unauthorized person gained access to the data on the computers.
[Evan] What a hassle for 320,000 people.
Lifeblood started sending out letters to donors this week, notifying them about what happened.
Based on the level of password security and the intricacies of the database structure, Lifeblood believes that is extremely unlikely that an individual who is not specifically trained to use the laptop and who does not have a valid Lifeblood ID and password could access the information contained on it.
[Evan] If this statement weren't so sad, it would be funny. I could stretch and maybe agree with "unlikely", but I would certainly not go as far as to say "extremely unlikely". It really is easier than most people think.
"Our hope was we'd be able to locate the devices and with that we'd be able to find whether the database had been accessed or not," said Dr. Edward Scott of Lifeblood.
Since the discovery Lifeblood has implemented additional security measures to protect against future theft of property or donor information. These measures include more restrictive access to and continuous closed circuit monitoring of the areas housing the laptops, installation of software to allow remote tracking and erasure of the hard drives on laptops used on mobile drives, and additional programming to prevent full Social Security numbers from being downloaded to mobile laptops.
[Evan] WHERE IS ENCRYPTION? Remote tracking and erasure provides some protection, but it isn't very hard to disable/bypass either to anyone with skill. Nobody breaks strong encryption with sound key management, no matter how skilled they may be. Why does a donor have to supply a Social Security number to donate blood in the first place? What does my blood have to do with my Social Security benefits?
He says a private investigator's been working this case. But with no solid leads, they've now teamed up with Memphis Police.
"We're concerned it may be a former employee. Or someone else who had access to building at the time," said Dr. Scott.
[Evan] Someone did have access or the laptops wouldn't be stolen.
The worry now though is that this breach will discourage people from donating.
"Blood is always going to be needed in the community, there's no substitute for that," said Dr. Scott.
[Evan] This is by far the most intelligent remark of any I have read about this breach. PEOPLE NEED BLOOD AND BLOOD SAVES LIVES. At the end of the day, I would trade my Social Security number to save someone's life.
Commentary:
We have now reported two blood centers that each stored confidential personal information on laptops (without encryption) and had them stolen. The other was Memorial Blood Centers in Minnesota. I don't understand why blood centers need my Social Security number in order for them to take my blood. I assume they use it as a personal identifier. I would much prefer that they create an identifier for me that cannot be used against me later.
I really appreciate all the work that blood centers do for the communities they serve, but they really don't serve the victims well when they don't take the time to properly secure the information they collect.
I cannot think of a good alternative to laptop encryption. Why won't Lifeblood encrypt confidential data at rest?
Past Breaches:
Unknown
Posts Atom 1.0
It is really sad that with the amount of lost or stolen laptops, and with the various data thefts taking place in the world, medical type facilities and companies still dont take the time or effort in protecting personal data. It makes me think that HIPAA is a joke to companies such as these.
Reply to this
My husband and I Gave blood for our grandson when he was born 10 yrs ago. We would like to know why our information is still in a laptop computer from 10 yrs ago??? Also, this year of theft and fraud protection is not enough, we could have information used years down the road.
Reply to this
Sir, your comments about the attorney "getting rich off the little guy" is completely unfounded. You do not know me, have not discussed with me my motivations for filing the lawsuit, and I take pride in being one of the Defenders of the "Little Guys" who would not stand a chance against this alleged non profit corporation (these doctors have 30 plus corporations running out of the same office and have donors giving blood for free while they make millions, with their facade of charity) without brave lawyers such as myself (*I made $20,000.00 last year and worked 80 hours per week and represented about half my clients for free. Come meet me or talk to some of my clients and remember the old saying, when you assume, you make an ass out of you and me.
Charles R. Curbo, attorney
Reply to this
Duly noted. I wish more lawyers (and people in general) had the same motivation you state that you do. My experience varies.
I have made an ass out of myself more times than I care to mention. If I make an ass out of myself here, then so be it.
Best Wishes to you Charles. Thank you.
Reply to this