Stem Cell Bank Mistakenly Leaks Personal Information

Cord Blood Registry loses patient data.

ByABC News
February 15, 2011, 2:16 PM

March 31, 2011— -- The database compromise club has a new member. Mazel Tov, Cord Blood Registry. You are the latest organization to fail in your responsibility to your clients by neglecting to provide even minimal security for their personal data. Your membership card is in the mail.

Who is CBR?

Before diving into the data leak, let's learn a bit more about Cord Blood Registry. CBR is perhaps the world's largest stem cell bank storing more than 350,000 cord blood collections for individuals and their families.

As my Credit.com colleague Chris Maag wrote: "The Cord Blood Registry saves stem cells from umbilical cords, which is useful in treatment for sickle cell anemia, and in transplant surgeries to minimize the risk of new organs getting rejected by the body. Researchers are studying other potential uses, including regenerating cells to repair damaged tissue."

[Article: Big Data Breach at Sensitive Lab Prompts Credit Scare]

They claim to be the biggest and "baddest" at what they do.

"Our 80,000 square foot laboratory is the largest cord blood processing facility in the world with some of the most advanced technology in the industry."

As CBR says on their website:

You can rely on our experience and expertise for your family.

But based on what they lost, how they lost it, when they lost it, the timing and way they explained it, it's obvious that they have some serious work to do if they want to regain their clients' trust.

OOPS!

300,000 CBR clients received this belated Valentine's Day card from David Zitlow, Executive Vice President for External Affairs. It opens with the following:

"I am writing to let you know that an incident occurred that may lead to personal information about you being exposed."

The personal information referenced is of a demographic and financial nature. Translation: names, Social Security numbers, driver's license numbers, credit card numbers and credit card expiration dates.

Apparently, a backpack containing three unencrypted storage tapes, a Dell laptop, zip drive and external hard drive was stolen from a CBR employee's car, shortly before midnight on December 13, 2010 outside of 365 Main Street—a private data center in San Francisco.