The theft of a non-encrypted laptop belonging to a staff member of California Correctional Health Care Services may have exposed the protected health information (PHI) of up to 400,000 patients who served time in California prisons during an 18-year period.
California Correctional Health Care Services (CCHCS), which provides medical services to approximately 128,000 inmates in 35 institutions in California, released a statement on May 16 reporting a potential breach of patient health information.
According to the statement, on April 25, following an investigation, CCHCS declared a potential breach of personally identifiable information (PII) and PHI that occurred on Feb. 25 when a staff member’s non-encrypted, password-protected laptop was stolen from their personal vehicle.
According to the statement, the laptop may be have contained PII and PHI for patients within the California Department of Corrections and Rehabilitation incarcerated between the years 1996 and 2014.
In the U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal, also known as the Wall of Shame, the incident was posted May 15 and indicates that the breach may have affected up to 400,000 individuals.
In the statement, CCHCS said it was notifying each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach.
“As we may not have current contact information for all persons potentially affected, we are taking additional steps of awareness including but not limited to a posting to our web site and notification to the media.”
“CCHCS is committed to protecting the personal information of our patients,” Joyce Hayhoe, director of communications and legislation, said in a statement. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”
According to the breaches posted to the HHS OCR portal, the CCHCS incident, involving 400,000 individuals, ranks third among the largest breaches this year to date.
The largest breach reported this year so far is 21st Century Oncology, which reported a breach in March affecting 2.2 million people due to a hacking/IT incident on its network server. The second largest breach so far this year was reported by Radiology Regional Center, which affected 483,000 people, due to a loss of paper and films. Followed by the CCHCS breach, there also was Premier Healthcare, which reported an incident affecting 205,700 people due to a stolen laptop. And, the fifth largest breach so far was reported by Community Mercy Health Partners in Ohio, which reported an incident involving the improper disposal of paper/films potentially affecting 113,000 people.