Wow – two state departments of public health reveal breaches in a 24-hour period? First it was Connecticut, reported on this blog earlier today, and now California. Here’s a statement from the California Department of Public Health:
The California Department of Public Health (CDPH) has reported to state authorities that a missing magnetic tape, delivered from one department facility to another, has been lost. The magnetic tape contained medical or other personal information for up to 2,550 facility residents, CDPH employees and health care workers, and was unencrypted.
CDPH is currently notifying affected individuals. CDPH will advise each individual about how to protect themselves from identity theft. At this point, there is no evidence that unauthorized parties have acquired or accessed personal information.
“The privacy of medical and other personal information is a top priority for CDPH,” said CDPH Director Dr. Mark Horton. “We immediately implemented procedure and policy changes to prevent such errors from occurring in the future. We take any breach of secure documents very seriously, and we regret this occurrence. We will redouble our efforts to ensure that everyone’s personal information is properly protected.”
The incident occurred when a CDPH field office in West Covina, in the Los Angeles area, sent a magnetic tape to the central office in Sacramento as part of the procedure for backing up its computer data. The magnetic tape was unlabeled and was sent via U.S. Postal Service.
On September 27, 2010, CDPH received the mailed envelope which was reported to be unsealed and empty. CDPH immediately reported the breach to the Information Security Office and began an investigation of the incident. On November 23, 2010, CDPH completed compiling the list of individuals whose medical or other personal information may have been compromised as a result of the loss of the tape.
The confidential information on the lost tape includes: employee e-mails, investigative reports, background information on health care workers, the names of health care facility residents and some information on their medical diagnosis, and social security numbers for CDPH employees and some facility residents and health care workers. CDPH has implemented policy and procedure changes to minimize the likelihood of recurrence and is researching options which would eliminate the need for a back up tape.
For more information about identity theft and protection options, log on to the California Office of Privacy Protection Web site at http://www.privacy.ca.gov.
Hat-tip, Los Angeles Times
So… will the state fine itself for not notifying individuals within 5 days of the discovery of the breach?