California Correctional Healthcare Services Data Breach Affects up to 400K Prisoners

California Correctional Healthcare Services Data Breach Affects up to 400K Prisoners

The California Correctional Healthcare Services data breach announced last month has recently been added to the breach portal maintained by the Department of Health and Human Services’ Office for Civil Rights.

California Correctional Healthcare Services Data Breach May Have Exposed 400,000 Social Security Numbers

Last month it was suspected that many thousands of prisoners may have been affected. The OCR breach report shows the breach was severe. As many as 400,000 individuals may have had their protected health information exposed, making this the third largest healthcare data breach reported so far in 2016.

On February 25, 2016, an laptop computer was left in a vehicle by a member of California Correctional Healthcare Services staff. The vehicle was broken into and the laptop was stolen. While the device was protected with a password, the data stored on the laptop were not encrypted. it is therefore possible that data could be viewed by the thief or the individual now in possession of the device.

On April 25, 2016., California Correctional Healthcare Services concluded that the protected health information and personally identifiable information of individuals detained by the California Department of Corrections and Rehabilitation had potentially had their data exposed. The individuals believed to have been affected had been imprisoned at some point between 1996 and 2014. The data stored on the laptop included names, addresses, Social Security numbers, medical information, custodial information, and information relating to the mental health of patients.

California Correctional Healthcare Services has been unable to determine which data were actually stored on the laptop and the exact number of patients affected. It is likely that this may never be known unless the laptop is actually recovered.

Under HIPAA Regulations, all healthcare patients potentially affected by a data breach must be notified, although in this case that is likely to prove difficult, if not impossible. Current inmates can be notified of the breach but California Correctional Healthcare Services does not maintain a database with current contact information for former inmates. A substitute breach notice has been posted on the CCHS website and a media notice has been released.

In response to the California Correctional Healthcare Services data breach, action is being taken to improve security and reduce the risk of future data breaches. A statement released by the agency said “This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards.” It is not clear whether data encryption will be used in future.

Had data been stored in the cloud, the California Correctional Healthcare Services data breach could have been avoided. Similarly, data encryption could have prevented the exposure of patients’ data.