Storage tapes and laptop stolen from employee’s car.
The Cord Blood Registry (CBR), the nation's largest stem cell bank, admitted that it lost unsecured personal data on 300,000 cord bank clients, a breach that could cost it millions to address.
The data were contained on LTO4 storage tapes and a Dell E6500 laptop that were stolen from a CBR employee’s car parked outside a San Francisco data center on Dec. 13, 2010, according to a report by Networkworld.
The lost data could have included client names, credit card numbers, driver’s license, and social security numbers, according to CBR spokeswoman Kathy Engle. The data were not encrypted, she added.
"Notifications went out to approximately 300,000 people. The vast majority of those people were clients who had signed up prior to 2006, but we did the broadest evaluation of possible missing data, which also included some more recent clients or recent prospect activity", Engle told Networkworld.
The letters to clients informing them of the data breach were dated Feb. 14, but some people did not receive the letters until March.
Explaining the delay, Engle said: "From the time of the incident, it took some time to determine the nature and extent of the data loss. CBR worked diligently to investigate the matter and...engaged consultants with specialized expertise to help evaluate the risk to clients and retrace which clients should be contacted. This process did not conclude until late January."
CBR is offering to provide free credit monitoring for a year to the clients affected by the data breach. Based on the latest research by the Ponemon Institute, the data breach could cost CBR millions (300,000 records times an average cost of $214 per lost record would come out to roughly $64.2 million, according to the latest figures).