Hard to believe, but UCLA Health is notifying patients of yet another data breach.
From a notice issued today:
UCLA Health is sending notification letters to 1,242 individuals about the theft of a laptop computer containing patient names, medical record numbers, and health information used to help prepare patient treatment plans. No social security numbers, health plan ID numbers, credit card numbers, or other financial data were stored on the stolen laptop.
The laptop, which was password protected, was reported stolen July 3 and belonged to a faculty member. Upon receipt of the report, UCLA Health initiated an analysis of a backup disk made available by the faculty member to determine whether protected health information or other restricted information was stored on the device and, if so, whose. This review was completed on August 14, 2015.
At this time, there is no evidence that any individual’s personal or medical information stored on the laptop has been accessed, disclosed, or used. UCLA Health does have policies and programs in place to identify “red flags” or warnings of possible medical identity theft and inform patients when these are found. The California Attorney General also has published guidelines, available online at https://oag.ca.gov/privacy/facts/medical-privacy/med-id-theft, to help patients and consumers protect themselves. Finally, UCLA Health is enhancing its security policies and retraining those involved with the incident to help avoid any future similar events.
UCLA Health has notified the DHHS Office for Civil Rights, the California Attorney General, and other regulators of the theft, and a special phone line has been established to provide information and assistance to those who receive the notification letters.
Patient privacy and well-being are of paramount importance and UCLA Health deeply regrets any concern or impact this incident may cause. A toll-free number has been set-up for patient questions, 1-888-236-0447.
This is the third breach incident noted in recent months. The first was a massive hack impacting 4.5 million patients. The second, which was not announced by UCLA Health but was reported by a patient, involved mis-mailings of breach notification letters for the hacking incident.
UCLA Health has also been in the headlines this week over a 2012 breach that has gone to trial over the psychological harm done to a patient whose records were improperly accessed and then shared by a temporary employee at an affiliated doctor’s office. UCLA has tried to disclaim responsibility for the security of their database by saying that the (sole) responsibility rests with the affiliated physician who never should have given his password to his employee. The hospital has also tried to claim that any depression the patient experienced was likely due to her pregnancy and not the result of the breach.
Update: A copy of the template notification to patients is available on the California Attorney General’s web site.