HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Up to 400,000 Prisoners’ PHI and SSNs Exposed

Up to 400,000 current and former prisoners incarcerated by the California Department of Corrections and Rehabilitation between 1996 and 2014 have potentially had their Social Security numbers, medical data, and personally identifiable information exposed.

The data breach was reported last month by California Correctional Healthcare Services (CCHCS) and a substitute breach notice was posted on the CCHCS website on May 13; however, at the time it was unclear exactly how many prisoners had been affected.

While this is still uncertain, the Office for Civil Rights breach report indicates as many as 400,000 individuals may have been affected. An exact figure is not known as the investigation conducted by CCHCS has not determined which individuals’ data were stored on the device. The figure of 400,000 is the total number of patients who had received healthcare services from CCHCS between 1996 and 2014.

That makes this the third largest healthcare data breach so far reported in 2016, behind only the 483,000-record breach at Radiology Regional Center, and the 2.2 million-record data breach at 21st Century Oncology.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The password-protected laptop computer was left in an employee’s vehicle from where it was stolen on February 25th, 2016. CCHCS investigated the security breach but had difficulty determining whether patient data were stored on the laptop. On April 25, CCHCS arrived at the decision that the data of current and former prisoners had been exposed.

When laptop computers and other portable electronic devices are stolen it is usually possible to ascertain which individuals have been affected by accessing data backups. In this case however, that does not appear to have been possible, at least at this moment in time.

Breach notification letters must therefore be sent to all individuals potentially impacted by the breach; however, this is likely to be problematic. After release from prison, former inmates can be difficult to trace. Since much of the data is old – up to 20 years in some cases – it is likely that contacting individuals by mail may not be possible.

The substitute breach notice posted on the CCHCS website indicates attempts have been made to contact former prisoners. “As we may not have current contact information for all persons potentially affected, we are taking additional steps of awareness including but not limited to a posting to our website and notification to the media.”

A number of measures have now been implemented to reduce the probability of similar breaches of protected health information occurring. Those measures include – but are not limited to – providing staff members with additional training on data security, updating policies and procedures, and implementing additional technology controls.

The incident highlights the risk of storing sensitive data on portable devices. Had data been stored centrally, the breach could have been prevented. If local storage of data was necessary, the use of data encryption could also have prevented a breach from occurring.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.