Moffitt: Stolen briefcase exposed data of 4,056 cancer patients

TAMPA — A briefcase containing the personal information of 4,056 patients at Moffitt Cancer Center was stolen from a doctor’s car weeks ago, the center recently announced.

The briefcase contained two personal USB storage devices, which were not encrypted, and printouts of clinical schedules, according to a patient notice posted Sept. 2 on Moffitt’s website. The information included patient names, dates of birth, medical record numbers and some information about what kind of medical treatment those patients received at Moffitt, the notice says.

However, the center said the information did not include patients' Social Security numbers, including partial numbers, or financial information.

The theft occurred July 2. Moffitt officials say they learned of it two days later, on July 4. The center said it started sending out letters notifying patients about the data breach on Sept. 2. The stolen information “involves certain patients who received care through the Blood and Marrow Transplant Department,” according to the notice.

When asked Friday why it took nearly two months to notify patients, Moffitt spokesperson Patty Kim said that the center “conducted a thorough investigation which involved an intensive review of the information known to be contained on the drive."

“Patients were notified as soon as possible,” she said.

The U.S. Department of Health and Human Services Office for Civil Rights is also investigating the incident, according to the agency’s directory of medical data breaches.

Kim declined to say whether the physician — whose name was not released — is facing any disciplinary action because the center “cannot comment on personnel matters.” But, she said, Moffitt officials are reviewing the use of USB storage devices and are enhancing the facility’s auto-encryption policies.

The center “has no indication that the information was viewed or misused,” according to the Sept. 2 notice. Officials came to that conclusion, Kim said, because no Social Security numbers or financial information were involved in the breach.

However, a cyber security expert told the Tampa Bay Times that the information could still be used to steal someone’s identity.

“About 80 to 85 percent of the information has already been revealed,” said Guillermo Francia III, a faculty scholar and professor at the University of West Florida’s Center for Cybersecurity. “They might be able to finish out the last missing piece of the Social Security number. This is a scary thing.”

Francia said health information should always be encrypted, especially if it’s being taken out of a health facility. He also questioned why it took almost two months for Moffitt to notify patients. While federal regulations require that patients be notified of a breach within 60 days, Francia said, sooner is better for the patient. Moffitt began sending out patient notices on Sept. 2 — 59 days after center officials learned of the theft.