Theft exposed PHI information

May 16th, 2016 by admin Leave a reply »

Some incarcerated patients at the California Correctional Healthcare Services are affected by the potential healthcare data breach. Affected information included PHI or personally identifiable information such as medical, mental health, and custodial information.

Facility did not mention number of affected individuals by the security incident. But it said that PHI may have been affected for patients who were incarcerated between 1996 and 2014 in the California Department of Corrections and Rehabilitation.

As per the statement, “We regret this incident occurred and take these events seriously. CCHCS has taken steps to mitigate these types of events including information security training for staff and we are reinforcing information security practices. We are also taking steps to ensure that all CCHCS mobile devices include appropriate technology protections.”

The possible PHI breach incident occurred after work laptop was stolen from an employee’s personal vehicle. According to the reports, laptop was not encrypted.But the facility said that laptop was password protected.

“Under current federal regulations, an entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”

Officials are still not sure the the extent of breach as it failed to analyse the total information contained in the laptop. California Correctional Healthcare Services cannot identify specific individuals. But it has attempted to contact each individual affected by the incident. It is possible that some patients will not receive any notification from facility, so notice is uploaded on its website and information  of the event is sent to the media.

“CCHCS [California Correctional Healthcare Services] is committed to protecting the personal information of our patients,” said Director of Communications and Legislation Joyce Hayhoe in the press release. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Leave a Reply