HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CalOptima Discovers Breach That Impacts 56,000 Members

CalOptima is alerting members to a privacy breach for the second time in a month. This time it was not a printing error that resulted in PHI being exposed, but the actions of a departing employee.

Prior to leaving employment, the former employee downloaded the protected health information of individuals who were enrolled in the county’s health plan for low-income and disabled Californians.

The first HIPAA breach, which occurred between July 29 and August 2, impacted 1,000 individuals and resulted in a limited amount of PHI being disclosed to other members. The latest breach involved more data elements and appears to have impacted tens of thousands of members.

The Orange County Register has reported that 56,000 breach notification letters were dispatched on October 14 advising members of the breach. That equates to 7% of CalOptima’s members. The exact number of breach victims will not be known until the incident appears on the Department of Health and Human Services’ Office for Rights’ breach portal.

Please see the HIPAA Journal Privacy Policy

CalOptima discovered PHI had been downloaded onto an unencrypted flash drive and the subsequent investigation led to the departed employee. Contact was made and within two days the thumb drive was returned to CalOptima. Oftentimes, data are taken to commit identity theft and fraud, although many employees take PHI to pass on to future employers. CalOptima has not indicated why the former employee took members’ data before leaving the company.

CalOptima does not believe PHI has been shared with any other party although the possibility of unauthorized disclosure of members’ PHI cannot be ruled out. As a precaution against identity theft and fraud, CalOptima has told its members to exercise caution and “closely monitor the security of their credit and personal information.” Affected members have also been offered a year of Triple Bureau credit monitoring services without charge.

The breach notice submitted to the California attorney general’s office says Social Security numbers and driver’s license numbers were not stolen by the employee. The drive is believed only to contain members’ names, demographic information, and health plan information, although the investigation is continuing and CalOptima is still checking the contents of the flash drive. However, the Orange County Register has reported some members’ Social Security numbers may have also been copied onto the portable storage device.

According to CalOptima spokesperson Bridget Kelly, the company has now “implemented several additional safeguards to better protect members against this type of incident in the future.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.