A California agency says private information for about 600,000 people may have been exposed during the burglary of a state building.
The Department of Developmental Services said Friday that the confidential information may have been seen during a Feb. 11 break-in at one of its Sacramento buildings.
Read more on NBC Bay Area.
Here is the department’s notice from their web site:
The Department of Developmental Services is informing the public about a recent incident that may have resulted in the breach of confidential information. On February 11, 2018, a break-in occurred at the DDS legal and audits offices building in Sacramento. The trespassers ransacked files, vandalized and stole state property and started a fire. The Department has no evidence that personal and health information was compromised due to the incident. However, out of an abundance of caution, it is notifying clients and the public about the incident and following federal requirements regarding potential breaches.
As detailed in the notices below, the people who broke into the building had access to the health information of about 582,000 individuals served by DDS. They also had access to the personal information of about 15,000 employees of regional centers, service providers, applicants seeking employment with the Department’s audits office, and parents of minors enrolled in DDS programs. Responses to frequently asked questions are below.
From the department’s notification letter concerning PHI:
April 6, 2018
Notice of Breach of Protected Health Information
The Department of Developmental Services (Department) is writing to inform you about an incident that happened at the Department’s legal and audits offices in Sacramento. As explained in this letter, unknown persons broke into the offices, and had access to your personal health information. We have no evidence to believe those who broke in actually stole your information or can use any stolen information to harm you. In the abundance of caution, we are providing you this notice so you are aware of what happened, and can take steps to monitor any unusual activity regarding your personal health information.
What Happened
On Sunday, February 11, 2018, unknown persons broke into the Department’s legal and audits offices, ransacked the offices and paper files, vandalized property, and started a fire. The fire set-off the building’s sprinklers, which caused water damage to many documents and computer workstations. Law enforcement is investigating the incident.
After the break-in, the Department discovered a number of paper documents and compact discs (CDs) were either displaced or damaged from the fire and the sprinklers. Some of these paper documents and CDs included protected health information (PHI). Twelve state-owned laptop computers were also stolen, but the data on these computers cannot be accessed because they were encrypted to meet the highest federal security standards. The Department’s review of its computer system confirmed the network was not accessed. All electronic files remain protected.
Please note, the Department is not aware of any evidence the PHI on the documents or CDs located in the offices were taken or viewed by the thieves, or that the PHI on those documents or CDs was compromised in any way.
What Information Was Involved
The fire and water damage to some papers, the existence of CDs, combined with the required cleanup, makes it impossible for the Department to identify with certainty whose PHI may have been compromised. Because we do not know for sure whether your PHI was improperly viewed or accessed during the break-in, we are sending you this notice.
The information contained in paper files and CDs included PHI and other information such as: (1) names; (2) unique state-issued client identifier numbers; (3) service codes; (4) units billed; (5) service dates; (6) amounts paid for services; and/or (7) medical records.
And from their other letter on what types of PII were involved:
What Information Was Involved:
The fire and water damage to some papers, combined with the required cleanup, make it impossible for the Department to identify with certainty whose personal information may have been compromised. Because we do not know for sure whether personal information was improperly viewed or accessed during the break-in, we are issuing this public notice.
The information contained in paper files included personal information of certain employees of regional centers and service providers, applicants seeking employment with the Department’s audits office, and certain parents of minors enrolled in DDS’ Annual Family Program Fee, Family Cost Participation Program, or Parental Fee Program. The personal information included the following: 1) name; 2) address; 3) phone numbers; 4) social security number, and 5) financial records.