UPDATE: It turns out “notifying everyone” involved notifying 400,000 people, as reported to HHS.
ABC10 reports:
California Correctional Health Care Services announced Friday that a laptop was stolen that may contain the personal information of patients.
The theft happened from the employee’s personal vehicle on February 25, according to Liz Gransee, public information officer with the Office of the Receiver. She stated the laptop may have contained information for patients of the California Department of Corrections and Rehabilitation incarcerated between 1996 and 2004.
The incident was subject of an investigation that ended on April 25.
Read more on ABC10.
I do not see this incident on their site, CDCR’s site, the California Attorney General’s breach notification site (where they’ve reported three breaches in the past), or on HHS. DataBreaches.net has emailed an inquiry to the state, requesting additional details, and will update this post if more information becomes available. The inquiry included questions asking how many patients were involved, whether the laptop should have been encrypted, whether policies were violated, and if so, whether the employee disciplined.
Update: CDCR kindly sent me a copy of their press release on the incident:
ELK GROVE, CA – On April 25, 2016, following an investigation, California Correctional Health Care Services (CCHCS) declared a potential breach of Personally Identifiable Information (PII) and Protected Health Information (PHI) that occurred on February 25, 2016. A staff member’s non-encrypted, password-protected laptop was stolen from their personal vehicle. This laptop may have contained PII and PHI for patients within the California Department of Corrections and Rehabilitation incarcerated between the years 1996 and 2014.
Under current federal regulations, an entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. (See second page attachment for copy of the Privacy Breach Notification Letter.) As we may not have current contact information for all persons potentially affected, we are taking additional steps of awareness including but not limited to a posting to our web site and notification to the media.
“CCHCS is committed to protecting the personal information of our patients,” said Joyce Hayhoe Director of Communications and Legislation. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”
Persons who feel they may have been affected by this potential data breach can contact our department with questions or concerns via the following methods:
Toll-free Hotline: 877-974-4722
Physical Mail:
California Correctional Health Care Services
Controlled Correspondence Unit
PO Box 588500
Elk Grove, CA 95758-8500
When asked to clarify how many patients were affected, a spokesperson responded with an email statement to DataBreaches.net:
It ranges from none to everyone incarcerated in the California prison system between 1996 and 2014. There may have been no data, but we cannot be sure, which is why we notifying everyone.