The University of Texas MD Anderson Cancer Center announced that an unencrypted portable USB thumb drive containing some patient and research information was lost on an MD Anderson employee shuttle bus on July 13. After learning of the incident on July 14, MD Anderson immediately began a search for the device and conducted a thorough investigation. Unfortunately, the USB thumb drive has not been located.
MD Anderson officials say they have no reason to believe that the information has been or will be accessed improperly, but as a precaution,they began mailing letters on August 17 to approximately 2,200 patients whose information was on the drive. Information on the drive included patient names, dates of birth, medical record numbers and diagnoses, and treatment and research information. The drive did not contain Social Security numbers or other financial information.
The following statement was issued:
"MD Anderson deeply regrets that this incident has occurred. The institution is enhancing its practices regarding the use of portable devices to transport patient data and is working to encrypt these devices. Encryption is a technology that scrambles each device's data in a way that makes it more difficult for an unauthorized user to retrieve any information from the device. Additionally, MD Anderson has purchased a significant number of encrypted USB thumb drives for distribution to employees who handle sensitive data. Finally, the institution also is reinforcing employee education around our privacy policies that govern the handling of patient information and the use of portable devices to transport such data."