The world's largest stem cell bank, Cord Blood Registry, has mailed data-breach warning letters to some 300,000 people after storage tapes and a laptop were stolen from an employee's car.
The break-in occurred just before midnight on Dec. 13, 2010 outside of a private data center in San Francisco called 365 Main Street, according to a police report, yet at least some of those put at risk received their letter from CBR only last week. The letter is dated Feb. 14.
Kathy Engle, CBR's director of corporate communications, tells me that while the stolen tapes did contain personally identifiable information that was unencrypted, they did not include any medical details about either adults or their children.
"Notifications went out to approximately 300,000 people," Engle says. "The vast majority of those people were clients who had signed up prior to 2006, but we did the broadest evaluation of possible missing data, which also included some more recent clients or recent prospect activity."
The company claims there have been no reports of identity theft linked to the data breach.
"The tapes may have contained personal client data of adults (credit card numbers, driver's license numbers or social security numbers); nothing on children and no health information at all," says Engle.
CBR stores umbilical cord blood and tissue, which are sources of stem cells used in medical treatments, for about 350,000 newborns, according to the company's Web site. CBR customers pay $2,200 for the initial blood collection and $125 a year for storage ($2,900 and $250 for both blood and cord tissue).
Among the items stolen from the CBR employee's car were three LTO4 tapes and a Dell E6500 laptop. The employee told police the items were in a backpack in the trunk of the car and that the thief gained entry by breaking the rear passenger-side window during the approximately 20 minutes he had left the vehicle unattended.
As for why it took two months-plus to notify customers, Engle says:
"From the time of the incident, it took some time to determine the nature and extent of the data loss. CBR worked diligently to investigate the matter and ... engaged consultants with specialized expertise to help evaluate the risk to clients and retrace which clients should be contacted. This process did not conclude until late January."
One letter recipient -- an IT professional who once worked for storage giant EMC -- says he and his wife never did business with CBR beyond filling out a form at a baby fair five years ago. His reaction: "What on earth are LTO4 tapes doing in a trunk with all this 'secure' information? CBR hasn't described what was actually stolen either. I'm frustrated."
As is customary in these situations, CBR is offering a year's worth of free credit monitoring to those who want it and assurances it will do better guarding personal information for those who care.
Finally, I asked Engle why there has been no mention of the breach on CBR's Web site.
"We determined that the safest and most efficient way to handle this communication was through a direct letter to clients."
I don't know about safest and most efficient, but it's certainly the quietest.
(Note: This post has been changed to reflect confirmation that the data on the stolen tapes was unencrypted.)