400,000 Current and Former Prisoners’ PHI Exposed

California Correctional Healthcare Services announced last month that an employee left a laptop computer in a vehicle and that the device had been stolen. The theft occurred on February 25, 2016., and the ensuing investigation revealed on April 25, that some protected health information was likely to have been stored on the device.

The data likely to have been stored on the device include patients’ names, addresses, custodial information, medical information, and Social Security numbers.

In order to access the data a password would be required; however, the data was on the device were not encrypted and could potentially be accessed if the password is cracked. For a hacker this is a relatively straightforward task.

Under Health Insurance Portability and Accountability Act (HIPAA) Rules, California Correctional Healthcare Services must send breach notification letters to all patients whose protected health information was potentially exposed.

California Correctional Healthcare Services has not yet been able to determine exactly which individuals have had their data exposed so notification letters will be sent to all patients who have received medical services between 1996 and 2014. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) indicates 400,000 individuals have been affected, making this the third largest healthcare data breach reported to the OCR in 2016.

Some prisoners affected by the breach have been released from prison. Contacting these individuals may prove to be difficult.  California Correctional Healthcare Services has contact information for all of its former patients; however, the information may be out of date.

A substitute breach notice has been placed on California Correctional Healthcare Services’ website, and a breach notice has been issued to the media. Breach notification letters will also be sent to the individuals at the addresses on file. Many individuals may not receive notifications and may be unaware that their data have been compromised.

California Correctional Healthcare Services has taken action to reduce the risk of future data breaches, which includes providing staff members with additional training, reviewing and updating policies and procedures, and implementing new technology to keep data secure. The individual who left the laptop computer unattended has also been disciplined.

All breaches of protected health information that impact more than 500 individuals are investigated by the OCR. If HIPAA Rules are discovered to have been violated, organizations can face stiff financial penalties, irrespective of whether the covered entity is a private or public organization.

The OCR will attempt to determine whether the controls put in place to keep the protected health information of patients secure was of a standard demanded by HIPAA, and whether a comprehensive risk assessment had taken place. If not, the decision may be taken to issue a financial penalty.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news