The Napa County Health and Human Services Agency in California has sent out breach notification letters to clients of its In Home Supportive Services program. The program is under the county’s Comprehensive Services for Older Adults division.
The notification followed the discovery that a thumb drive with unencrypted information was lost in the rubble after a big earthquake. The County does not believe there’s any real risk here, but properly notifed those affected. The loss was discovered on August 27, three days after the earthquake, when the agency attempted to deal with the rubble in its office (which remains unusable from the damage).
Information on the thumb drive was limited to names, addresses, telephone numbers, and limited information concerning status as IHSS client. There was no medical or identity information such as SSN, driver’s license numbers, or dates of birth on the missing drive.
Letters were mailed on September 10, according to a note on a copy of the notification letter uploaded to the California Attorney General’s site.
Update: see additional details Jeanne Price of idRADAR acquired in Comments below.
Napa officials this morning told me that 1,027 individuals were involved and the device was NOT encrypted. County of Napa has changed its approach to portable storage in the wake of the quake and all devices will now be encrypted.
A contracted cleaning crew was on site shortly after the quake along with agency officials. Investigation is considering either theft or device destruction in the quake as the cause here. Even with earthquakes factored into the county’s privacy plan, officials say they will change policies to do better next time.
Thanks so much for the additional details, Jeanne!