Laptop Theft May Have Exposed PHI of 400,000 Current or Former California Inmates | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Laptop Theft May Have Exposed PHI of 400,000 Current or Former California Inmates

June 7, 2016
by Heather Landi
| Reprints

The theft of a non-encrypted laptop belonging to a staff member of California Correctional Health Care Services may have exposed the protected health information (PHI) of up to 400,000 patients who served time in California prisons during an 18-year period.

California Correctional Health Care Services (CCHCS), which provides medical services to approximately 128,000 inmates in 35 institutions in California, released a statement on May 16 reporting a potential breach of patient health information.

According to the statement, on April 25, following an investigation, CCHCS declared a potential breach of personally identifiable information (PII) and PHI that occurred on Feb. 25 when a staff member’s non-encrypted, password-protected laptop was stolen from their personal vehicle.

According to the statement, the laptop may be have contained PII and PHI for patients within the California Department of Corrections and Rehabilitation incarcerated between the years 1996 and 2014.

In the U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal, also known as the Wall of Shame, the incident was posted May 15 and indicates that the breach may have affected up to 400,000 individuals.

In the statement, CCHCS said it was notifying each individual whose unsecured PHI has been, or is reasonably believed to have been accessed, acquired, used or disclosed as a result of the breach.

“As we may not have current contact information for all persons potentially affected, we are taking additional steps of awareness including but not limited to a posting to our web site and notification to the media.”

“CCHCS is committed to protecting the personal information of our patients,” Joyce Hayhoe, director of communications and legislation, said in a statement. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”

According to the breaches posted to the HHS OCR portal, the CCHCS incident, involving 400,000 individuals, ranks third among the largest breaches this year to date.

The largest breach reported this year so far is 21st Century Oncology, which reported a breach in March affecting 2.2 million people due to a hacking/IT incident on its network server. The second largest breach so far this year was reported by Radiology Regional Center, which affected 483,000 people, due to a loss of paper and films. Followed by the CCHCS breach, there also was Premier Healthcare, which reported an incident affecting 205,700 people due to a stolen laptop. And, the fifth largest breach so far was reported by Community Mercy Health Partners in Ohio, which reported an incident involving the improper disposal of paper/films potentially affecting 113,000 people.


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.

Report: Healthcare Accounted for 45% of All Ransomware Attacks in 2017

Healthcare fell victim to more ransomware attacks than any other industry in 2017, according to a new report from global cybersecurity insurance company Beazley.

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.