Laptop Theft May Have Exposed PHI of 400,000 Current or Former California Inmates | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Laptop Theft May Have Exposed PHI of 400,000 Current or Former California Inmates

June 7, 2016
by Heather Landi
| Reprints

The theft of a non-encrypted laptop belonging to a staff member of California Correctional Health Care Services may have exposed the protected health information (PHI) of up to 400,000 patients who served time in California prisons during an 18-year period.

California Correctional Health Care Services (CCHCS), which provides medical services to approximately 128,000 inmates in 35 institutions in California, released a statement on May 16 reporting a potential breach of patient health information.

According to the statement, on April 25, following an investigation, CCHCS declared a potential breach of personally identifiable information (PII) and PHI that occurred on Feb. 25 when a staff member’s non-encrypted, password-protected laptop was stolen from their personal vehicle.

According to the statement, the laptop may be have contained PII and PHI for patients within the California Department of Corrections and Rehabilitation incarcerated between the years 1996 and 2014.

In the U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal, also known as the Wall of Shame, the incident was posted May 15 and indicates that the breach may have affected up to 400,000 individuals.

In the statement, CCHCS said it was notifying each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach.

“As we may not have current contact information for all persons potentially affected, we are taking additional steps of awareness including but not limited to a posting to our web site and notification to the media.”

“CCHCS is committed to protecting the personal information of our patients,” Joyce Hayhoe, director of communications and legislation, said in a statement. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”

According to the breaches posted to the HHS OCR portal, the CCHCS incident, involving 400,000 individuals, ranks third among the largest breaches this year to date.

The largest breach reported this year so far is 21st Century Oncology, which reported a breach in March affecting 2.2 million people due to a hacking/IT incident on its network server. The second largest breach so far this year was reported by Radiology Regional Center, which affected 483,000 people, due to a loss of paper and films. Followed by the CCHCS breach, there also was Premier Healthcare, which reported an incident affecting 205,700 people due to a stolen laptop. And, the fifth largest breach so far was reported by Community Mercy Health Partners in Ohio, which reported an incident involving the improper disposal of paper/films potentially affecting 113,000 people.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.

Cedars-Sinai Accelerator Program Presents Fourth Class of Startups

The Cedars-Sinai Accelerator, a program that helps entrepreneurs bring their innovative technology products to market, has brought in nine more health tech startups as part of its fourth class.

DirectTrust Adds Five Board Members

DirectTrust, a nonprofit organization that support health information exchange, announced the appointment of five new executives to its board of directors.

Analysis: Many States Continue to Have Restrictive Telemedicine Policies

State Medicaid programs are evolving to accelerate the adoption of telemedicine models, this evolution is occurring more quickly in some states than others, according to a recent analysis by Manatt Health.