Correction: This article originally reported that Riverside did not return the phone call from PHIprivacy.net asking them to clarify whether this was a second breach or an update of the first breach report.. Riverside did attempt to return the call that day, but was unable to get through as the line was tied up. PHIprivacy.net apologizes to Riverside for our error in reporting that they hadn’t returned our call.
ABC News reports that an unencrypted laptop that went missing from Riverside County Regional Medical Center in December may have contained personal information of nearly 7,900 patients.
At first blush, this new report appeared to be an update of a breach disclosure the center made in June, when they reported notifying 563 patients of a missing laptop that had been connected to electromyogram testing equipment. But it’s not – it’s a second breach that also involves a missing laptop.
The following notice to patients, dated January 29, is prominently displayed on the center’s homepage:
An unencrypted laptop computer reported missing from Riverside County Regional Medical Center (RCRMC) in December might have contained the personal information of patients who received ophthalmology and dermatology services at the hospital between Jan. 26, 2012 and last Nov. 26.
RCRMC’s chief compliance officer, Jan Remm, said the hospital immediately notified law enforcement and began a thorough internal investigation after a department manager at the Moreno Valley-based hospital reported the laptop missing on Dec. 1.
Remm said she has no reason to believe that the laptop was taken for its patient-related files or that information has been accessed or used in any way. She said computer forensic experts determined the information of approximately 7,900 patients might have been stored on the laptop. The information can include differing amounts of patient information, including names, addresses, birth dates and, in some instances, social security numbers and health plan policy numbers. Limited clinical information, such as diagnosis, also might have been present.
“We are taking significant measures to safeguard patient privacy and to restrict unauthorized access to computers and devices that potentially contain patient data,” Remm said. “The privacy of our patients is a fundamental priority in our organization and part of our commitment to quality healthcare.”
Remm said the hospital has significantly strengthened its inventory controls to prevent future loss of electronic devices, while cyber-security experts are currently encrypting all the organization’s computers and laptops to safeguard patient data. Letters are being mailed out to inform affected patients about the potential data breach, Remm said
Hospital officials encourage patients concerned about personal information to closely monitor their credit reports by calling 1-877-322-8228 to request a free annual report from the three U.S. credit reporting agencies; Equifax, Experian and TransUnion. The report also may be requested online at www.annualcreditreport.com
Patients concerned about whether their information was stored on the laptop are encouraged to contact the RCRMC confidential assistance line staffed with professionals familiar with this incident. The confidential assistance line is available Monday through Friday 6:00 a.m. to 4:00 p.m., PST at (866) 313- 7993.
The Press Enterprise is reporting it as a second breach.
Update: The letter to patients uploaded to California Attorney General’s web site today confirms that this was a second breach, as it was first detected on December 1, 2014.