Laptop Thefts Expose the PHI of California Healthcare Patients
Three potential healthcare data breaches have been recently reported, two of which occurred as a result of the theft of laptop computers and exposed the protected health information (PHI) of healthcare patients in California.
California Correctional Health Care Services Reports Theft of Laptop Computer
On February 25, 2016., an unencrypted password-protected laptop computer was stolen from the vehicle of an employee of California Correctional Health Care Services (CCHCS). The laptop may have been used to store the PHI of patients of the California Department of Corrections and Rehabilitation.
According to a May 14 substitute breach notice submitted to the California Office of the Attorney General, CCHCS identified the breach on April 25.
CCHCS conducted an investigation into the incident but was not able to determine whether sensitive data were actually stored on the device. CCHCS believes that if sensitive data were exposed, affected individuals would be those who had been imprisoned between 1996 and 2014. Data potentially stored on the laptop include custodial information, medical data, mental health data, and personal identifiers.
To prevent similar incidents from occurring in the future, CCHCS will be implementing “appropriate technology protections” on all mobile devices used to store sensitive information. Staff members will also be retrained and efforts will be made to reinforce security practices.
Burglary Results in Exposure of PHI of Imperial Valley Family Care Medical Group Patients
An unencrypted laptop computer was stolen in a burglary of the office of Imperial Valley Family Care Medical Group’s Dr. Sampat on March 21, 2016. Data stored on the device include patients’ names, addresses, and other personal information including dates of birth and health information.
Other information stored on the device include Social Security numbers, Driver’s License numbers, and California ID card information. Any individual who had these data exposed have been offered a year of credit monitoring, credit reporting, and identity theft protection services without charge. The incident has been reported to El Centro PD, although the laptop computer has not been recovered.
PruittHealth of South Carolina Advises Patients of Potential PHI Exposure
PruittHealth Home Health of Beaufort, South Carolina, has notified 1,500 patients of a security incident that potentially resulted in their PHI being viewed by unauthorized individuals.
The Low County offices of PruittHealth Home Health were broken into on March 2, 2016. The perpetrator(s) only stole the petty cash from the offices, although since PHI could potentially have been viewed while the perpetrator(s) were on the premises, breach notifications were issued in accordance with 45 C.F.R. § 164.404/406.
PruittHealth does not believe that any sensitive data were accessed during the break in as no files appeared to have been disturbed and none were taken. However, the files did contain patient names, dates of birth, addresses, some clinical information, location and dates of service, and Social Security numbers.
In response to the break in, PruittHealth will be improving security at its offices.