14 DAY TRIAL // Personal data of patients and employees at the Boston Baskin Cancer Foundation may have been exposed at the beginning of December 2014, when an external hard drive belonging to the organization was stolen during a burglary.
The storage unit was used by an employee of the foundation when his home was broken into and multiple electronic devices were taken. Representatives of the organization say that the employee “was properly authorized to work on the data at home as part of his job.”
Unfettered access to the hard drive's content
A backup of the content on the hard drive is available, according to WREG, but the issue is that the information on it was not protected in any way.
“Unfortunately, the hard-drive was not encrypted,” informs a letter from the foundation to the affected individuals. This means that the details available on the external storage can be accessed by simply connecting the device to a computer.
Boston Baskin Cancer Foundation informs that sensitive data belonging to patients included names, social security numbers, dates of birth, dates of the last clinic visits, and phone numbers.
It is unclear how many people are affected by the incident, but the foundation says in an official announcement that patients seen at the Boston Baskin offices between 2008 and July 2014 are impacted.
The info belonging to employees (current and former) is equally sensitive and contained the social security number, date of birth, title, office location, hire dates, and pay rates.
No evidence of data misuse has been recorded
The organization does not have any evidence that the sensitive information was misused in any way; most of the times, the purpose of robberies involving electronics items that may store confidential data is not the information itself, but the product, which can be easily exchanged for cash.
However, thieves that recognize the value of a social security number on underground cybercriminal forums may try to make some extra money by selling the database.
As per good data protection practices, businesses should encrypt sensitive content available on mobile storage units, such as external hard disks or laptop computers. This way, even if the device falls in the wrong hands, the information is safe and sound.
As a precaution, Boston Baskin Cancer Foundation offers the people impacted by the incident a one-year free subscription to the identity protection services of a major company; recipients of the letter are not enrolled automatically and they can do it themselves by following the instructions provided.