MD Anderson suffers data breach via stolen computer

The University of Texas MD Anderson Cancer Center announced that a computer containing patient and research information was stolen from a physician’s home on April 30. The physician notified the local police department.

After learning of the theft on May 1, MD Anderson immediately began a thorough investigation, including working with outside forensics experts, to determine the information contained on the computer. After completing the investigation, MD Anderson was able to confirm that the computer contained patient information, including names, medical record numbers, treatment and/or research information, and, in some instances, Social Security numbers.

There is an ongoing criminal investigation into the theft.

MD Anderson worked with forensics experts to recreate the information that was on the stolen computer, and after extensive analysis MD Anderson notified patients as soon as it was able. MD Anderson has no reason to believe that the computer was stolen for the information it contained, since other items were stolen from the employee’s home. MD Anderson began mailing notification letters on June 28 to patients who may have been affected. MD Anderson is offering credit monitoring services for those whose Social Security numbers were included in the data and providing call center support to all affected.

To help prevent this from happening in the future, MD Anderson is accelerating efforts to encrypt all facility computers, which scrambles each computer's data to make it more difficult for unauthorized users to retrieve any information. MD Anderson is also reinforcing its privacy policies with all employees.