A leading umbilical cord blood bank has agreed to settle Federal Trade Commission charges in connection with a December 2010 breach that lead to the exposure of almost 300,000 consumers' Social Security and credit and debit card numbers, the FTC said Monday.
The FTC has not alleged that any company data was improperly accessed or used in the incident, the company, San Bruno, Calif.-based Cbr Systems Inc., said in a statement.
Under terms of the agreement between Cbr and the FTC, the blood bank will establish and maintain a comprehensive information security program and submit to security audits by independent auditors every other year for 20 years.
An FTC spokesman said the agency only has civil penalty authority if a firm agrees to a consent order and then violates it.
The FTC said in its statement that Cbr, a leading provider of umbilical cord blood and umbilical cord tissue banking services, did not use “reasonable and appropriate procedures” for handling personal information.
The FTC said, according to the complaint, the firm allegedly created unnecessary risks to personal information by, among other things, transporting backup tapes, a thumb drive and other portable data storage devices containing personal information “in a way that made the information vulnerable to theft.” The FTC said the firm also did not take sufficient measures to prevent, detect and investigate unauthorized access to computer access.
%%BREAK%%
The FTC said the company's failures contributed to a security breach, during which unencrypted backup tapes containing consumers' personal information, a Cbr laptop, a Cbr external hard drive and a Cbr USB drive were stolen from a company's employee's personal vehicle in San Francisco.
The complaint also said, in addition to the personal information on these devices, the unencrypted laptop and external hard drive contained network information, including passwords and protocols that could have permitted an intruder's access to its network, where sensitive personal information was stored.
The proposed consent agreement package containing the proposed consent order, which was unanimously approved by the commission, will be subject to public comment through Feb. 28, after which the Commission will decide whether to make the proposed consent order final.
“The FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information collected by Cbr. The exposure of this information has the potential to cause real harm to consumers,” FTC Chairman Jon Leibowitz said in a statement.
Cbr said in its statement that “the agreement is for settlement purposes only and does not involve monetary damages or constitute an admission by CBR that the law has been violated.”
Ninety-four percent of health care organizations have suffered at least one data breach over the past two years, and 45% have suffered more than five such incidents, according to a study released Thursday by the Ponemon Institute.