Unencrypted data storage tapes and a laptop were stolen from an employee’s car, leading the Cord Blood Registry to notify 300,000 people that their data may be at risk. Paul McNamara summarizes at NetworkWorld, with thanks to Redemtech for the tip. The break-in occurred on December 13, 2010 and CBR, based in San Francisco, mailed 300,000 letters dated February 14. A copy of the letter can be found here.

CBR maintains that while the lost data did contain personally identifiable information (PII), medical details were not included. Said CBR’s director of corporate communications, Kathy Engle, “The tapes may have contained personal client data of adults (credit card numbers, driver’s license numbers or social security numbers); nothing on children and no health information at all.”

It costs a lot of money to mail 300,000 letters. As the new Ponemon Cost of a Data Breach Study confirms yet again, the costs may be only beginning.