Stem Cell Blood Bank Settles after Losing Personal Data of 298,000 Clients

Wednesday, February 13, 2013

San Bruno, California-based CBR Systems Inc., which claims to be the world’s leading stem cell bank, hopefully does a better job of storing its product than it does personal data from clients.

The company agreed to separate settlements with the Federal Trade Commission (FTC) and potential class-action plaintiffs resulting from its loss of Social Security numbers and credit card information for 298,000 of its clients. The unencrypted data was lost when a laptop computer, a USB drive and an external hard drive were stolen from an employee’s car near San Francisco.

CBR Systems provides umbilical cord blood and tissue banking services to clients who pay to preserve and store a newborn’s cord blood and cord tissue. The blood and tissue contain stem cells, which have the potential to treat some diseases and conditions.

CBR lost the personal data in December 2010, but it wasn’t publicly reported until February 2011. Client Eileen Johansson-Dohrmann filed a lawsuit in January 2012 seeking class-action status after rejecting a small offer of compensation from CBR. Her lawsuit claimed that the company was negligent in handling the information and derelict in its responsibility to contact the victims in a timely fashion.

The FTC filed an administrative complaint against CBR, and during its investigation found that “CBR also failed to take sufficient measures to prevent, detect, and investigate unauthorized access to computer networks.” The company settled in November with the FTC by agreeing to establish a comprehensive security program and submit to annual security audits by independent contractors for 20 years.

Last week, the company reached a settlement with Johansson-Dohrmann and agreed to  begin encrypting its data and provide two years of credit monitoring and insurance at a cost, it said, of $112 million. Plaintiff’s lawyers got $600,000.

–Ken Broder


To Learn More:

Cord Blood Bank to Improve Data Security (Reuters)

Cord Blood Bank Settles FTC Charges that it Failed to Protect Consumers’ Sensitive Personal Information (Federal Trade Commission)

Judge Approves Settlement over Blood Bank’s Data Breach (by Terry Baynes, Thomson Reuters)

Leave a comment