PHI Breach Reported by LA County USC Medical Center

More than 700 patients of the neurosurgery clinic of LA County’s USC Medical Center have been informed that some of their protected health information has been obtained by criminals.

Printed lists of patients who had visited the LAC+USC neurosurgery clinic were stolen from the vehicle of an employee. The lists contained full names, genders, telephone numbers, medical record numbers, dates of birth, appointment times, reasons for appointments, and medical diagnoses. The lists had been printed to allow the employee to perform certain work duties; however, the paperwork was left unattended in the employee’s vehicle. The car was vandalized and broken into on July 8, 2016. The incident has been reported to law enforcement and the Los Angeles Sherriff’s Department is investigating the theft.

No social security numbers, financial information, or insurance details were exposed, although patients have been told that they should monitor their accounts and check explanation of benefits statements for any signs of fraudulent activity. No reports of PHI misuse have been received by USC Medical Center to date, although the possibility that the data will be used for fraud or identity theft cannot be ruled out.

Patients whose addresses were on file were sent breach notification letters by mail on August 25/26 and a substitute breach notice has been uploaded to the County of Los Angeles website.

All USC Medical Center employees receive training on privacy and security and are informed that they must protect and secure the patient data. The policies do not specifically cover vehicles, instead employees are expected to use good judgement when handling or storing PHI. The employee from whom the information was stolen has received further training and USC Medical Center is conducting a review of its privacy and security practices.

To prevent future PHI breaches of this nature, USC Medical Center has identified a secure document storage location which staff have been informed to use. Random audits will be conducted to ensure that staff members at the affected location are securely storing documents containing PHI.

The PHI breach has been reported to the state attorney general’s office and the Department of Health and Human Services’ Office for Civil Rights in accordance with state and federal regulations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.