MD Anderson Breach: What to Learn

By: Absolute Team | 7/4/2012

The University of Texas MD Anderson Cancer Center recently issued a notice that they have suffered a data breach putting as many as 30,000 patients at risk. Experts predicted that healthcare data breaches would reach "epidemic proportions" in 2012 and we are certainly seeing a continuation of large breaches in this industry. This particular breach offers many opportunities for improvement, which we will go over.

According to the note, an unencrypted laptop was stolen from a MD Anderson employee's home; police and MD Anderson were notified of the theft on May 1st. After outside forensics experts were called in, MD Anderson was able to confirm that the laptop contained patients' personal information including names, medical record numbers, treatment / research information and some Social Security numbers.

There is a lot we can learn from this breach about things MD Anderson could have done better, including:

Encrypt all laptops
Have inventory of data and where it is (this information should be instantaneous, not the result of forensic experts)
Set standards for the types of data employees can access and what they can do with it
Effectively communicate company privacy policies
Have software such as Computrace to allow you to respond if a device is missing or stolen - such response could include locking the device, delete data and notifying us so we can attempt to recovery the device

If you work in healthcare, read more about how Absolute Software can help you best meet your endpoint security and management needs.

Absolute Team

All Posts By This Author

The Third Question: What CISOs Aren’t Asking and What’s at Stake

Distance Learning Solutions Hub for Education

Resource Center for Remote Work and Distance Learning during the COVID-19 Outbreak

2020: The State of Endpoint Resilience™️ Report

Video: Absolute for Resellers and MSPs