Laptop Breach May Affect 400,000 PrisonersThird Largest Incident Added to Federal Health Data Breach Tally So Far in 2016
The recent theft of an unencrypted laptop that may contain information on up to 400,000 inmates who served time in California prisons has been added to the federal tally of health data breaches. Experts say notifying all those potentially affected could prove challenging.
See Also: The Power and Scale of XDR
Five Largest Breaches Added to HHS 'Wall of Shame' in 2016
The laptop, which was stolen on Feb. 25, may have contained protected health information and personally identifiable information for patients within the California Department of Corrections and Rehabilitation who were incarcerated between 1996 and 2014, California Correctional Health Care Services says in a statement. The state agency has not yet verified what information was on the device, but it could have stored confidential medical, mental health and custodial information, the statement notes.
A CCHCS spokeswoman tells Information Security Media Group the laptop "could've possibly contained data" for up to 400,000 inmates because that's the total number receiving healthcare at CCHCS from 1996 to 2014. The stolen laptop was slated to be issued to a new employee, she says. Data potentially contained on the laptop includes names, addresses and Social Security numbers, as well as medical record information.
Because the laptop theft potentially compromised data of current and former inmates, notification of the affected individuals will likely be more challenging than many other health data breaches, some privacy and security experts say.
"There clearly are issues in notifying any kind of group, especially if the data is older or there is a transient nature to the population," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "Obviously, in this context, it will be easy to notify current inmates and likely harder to notify others. Notifying people that you can't reasonably locate is always complicated, and the HHS rules seem to push toward public notifications, which really cannot do a good job of focusing in the affected individuals."
Privacy attorney Stephen Wu of the law firm Silicon Valley Law Group, notes: "Some of the affected are prisoners who may have been released and the bureau may have no way of knowing how to find these people. Some may have moved far away, and some may be homeless."
In its statement, CCHCS acknowledges, "As we may not have current contact information for all persons potentially affected, we are taking additional steps of awareness including but not limited to a posting to our website and notification to the media."
In the wake of the incident, the agency says it's taking several information security steps. "This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards," the agency states. "As necessary, policies, risk assessment and contracts shall be reviewed and updated."
Nahra says the incident is "a good reminder on laptop encryption, as well as a reminder to make sure that people control [what] data that is on a laptop. I always want to know in these situations why the data was on a laptop in the first place."
Wu notes that "a data minimization approach could've helped protect that data - for instance by having the laptop as a client to access data as needed through the cloud."
State Agency Incidents
State agencies have reported a number of notable health data breaches in recent years. Among the largest such incidents was a hacking attack reported in July 2014 by Montana Department of Public Health and Human Services, which affected more than 1 million individuals. In addition, Utah's Department of Technology Services reported in March 2012 a hacking incident that exposed health department data on about 780,000 Medicaid clients and Children's Health Insurance Plan recipients.
"State agencies have often lagged behind much of the private sector in privacy and security controls," Nahra notes.
At least one incident involving a government agency has also been the target of an OCR enforcement action.
Alaska's Medicaid program, for example, reached a $1.7 million settlement with HHS back in 2012 over an information security incident," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
OCR has issued several resolution agreements containing financial settlements and corrective action plans as an outcome of investigations triggered by breaches involving stolen unencrypted devices.
"It could be years before we learn whether this [California corrections] incident similarly leads to a financial settlement between HHS and a state agency," Greene says. "The fact that this is a state agency is unlikely to significantly impact whether HHS seeks a resolution agreement, as HHS has made clear that they expect all covered entities, both public and private, to comply with HIPAA."