Up to 400K Prisoners’ SSNs and PHI Revealed

Up to 400K existing and earlier inmates imprisoned by the California Department of Rehabilitation and Corrections during 1996 to 2014 have possibly had their medical data, Social Security numbers, and personally identifiable information displayed.

Last month California Correctional Healthcare Services (CCHCS) reported the data break and an alternate break notice was displayed on the website of CCHCS on May 13; nevertheless, at the time it was not clear precisely how many inmates had been impacted.

Although this is still not certain, the OCR break report shows up to 400K people might have been impacted. A precise figure is unknown because the inquiry carried out by CCHCS hasn’t yet determined which persons’ data were saved on the device. The figure of 400K is the total of patients who had gotten healthcare facilities from CCHCS during 1996 to 2014.

That makes this the 3rd biggest healthcare data break reported so far in 2016, just after the 483,000-record break at Radiology Regional Center, as well as the 2.2 million-record data break at 21st Century Oncology.

The password-protected laptop was dumped in a worker’s automobile from where it was thieved on February 25th, 2016. CCHCS inquired the safety break but faced trouble deciding whether or not patient data were saved on the laptop. On April 25, CCHCS reached at the conclusion that the data of existing as well as earlier inmates had been revealed.

When laptops and other moveable electronic devices are thieved it’s generally possible to find out which persons have been impacted by retrieving data backups. In this instance, however, that doesn’t seem to have been likely, at least at this instant in time.

Break notice letters should, therefore, be dispatched to all people possibly affected by the break; nevertheless, this is likely to be difficult. After release from jail, previous prisoners can be hard to track. As much of the data is outdated – as much as 20 years in some instances – it is probable that making contact with people by mail might be impossible.

The alternate break notification displayed on the CCHCS website shows efforts have been made to get in touch with former inmates. “As we might not have present contact info for all people possibly impacted, we are taking extra measures of consciousness including but not restricted to a displaying to our website and notice to the mass media.”

Now several measures have been applied to decrease the possibility of similar breaks of saved health information happening. Those steps include – but are not restricted to – offering staff members with extra training on data safety, revising plans and processes, and applying extra technology regulations.

The case underlines the danger of storing confidential data on moveable devices. Had data been saved centrally, the break could have been avoided. If local storing of data was essential, the usage of data encryption might also have avoided a break from happening.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.