Los Angeles County Government Has Been Putting Patient PHI at Risk for 7 Years
The Los Angeles County government has failed to safeguard the Protected Health Information (PHI) of state residents for up to seven years, according to a recent audit.
Three departmental audits have been conducted since December 2014 and a catalog of data security failures have been uncovered that potentially put PHI in the hands of thieves. Data including Social Security numbers and health information could be accessed by former workers, and the information could already be in the hands of criminals. It is simply not known. Computer equipment has vanished – having been misplaced or stolen – devices were not encrypted, and equipment was simply not tracked.
Serious Administrative Failures Lasting up to 7 Years
Serious administrative failures in several L.A County government departments were discovered by auditors, the most serious being a failure to terminate access to computer systems when employees changed employment.
An audit conducted by the Probation Department revealed 695 former employees still had access to computer systems containing the protected health data of juvenile detainees. This security breach had been allowed to persist for an astonishing seven years.
During that time it was discovered 33 different individuals had continued to use their access rights and had viewed data after the date their employment ended. The report was released earlier this month and all old accounts are now finally being closed.
In December of last year, a social services department audit revealed that 442 workers still had access to computer systems, even though they no longer worked for the department. At the Department of Public Health, 13 former employees still had access to health information after they had been reassigned.
Computers Misplaced, Not Tracked and Given Away
A Probation Department audit revealed computer equipment – potentially containing protected or confidential data – was simply not being tracked. Eighteen computers appeared to be missing. An investigation determined the location of 10 of them; what happened to the other 8 remains a mystery. Some had apparently been sent to salvage and some donated. The audits did not reveal if the data on the computers had been securely and permanently erased before donation. It was a similar story at the department of social services, where equipment inventories were improperly maintained and inaccurate.
Basic Security Measures not Being Followed
Even basic data security measures were not being followed. The social services department audit revealed 25% of computers being used by the Department of Social Services had outdated anti-virus software. In April of this year, an audit of the Department of Public Health uncovered a lack of physical controls to secure data. Computer equipment was being stored in a warehouse open to the public, and when equipment was stolen, the Department of Public Health failed to report it.
Fully functional key cards were not taken from 21 employees after reassignment and hose keycards remained active for up to five years, according to the LA Times.
A number of the issues uncovered by the audits are in the process of being addressed, and a meeting has been scheduled for Tuesday next week when the issues will be discussed.