Yet Another Security Incident at UCLAStolen Hard Drive Affects 16,000
The University of California at Los Angeles Health System is notifying more than 16,000 patients about the Sept. 6 burglary at the home of an employee who left UCLA's staff in July. "Although the information on the hard drive was encrypted, the password necessary to unscramble the information was written on a piece of paper near the hard drive and cannot be located," according to a statement from the medical center. So far, there's no evidence the information has been accessed or misused, UCLA notes. But police say the stolen drive has not been recovered.
Information on the drive, UCLA reports, may have included patient names, birth dates, medical record numbers, addresses and medical record information. Social Security numbers and financial information were not stored on the device. The information on the drive dates from July 2007 to July 2011
UCLA notes that the hard drive belonged to the former employee "who maintained the information on the device in order to perform necessary UCLA job duties."
In the wake of the incident, "UCLA Health System is reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood this will happen again," according to the statement. "In addition, UCLA Health System will provide additional education and awareness to its workforce members regarding the appropriate methods for storing patient information."
The provider organization says it has hired Kroll to offer identity theft consultation and restoration services to patients "if your name and credit are affected by this incident."
In July, UCLA Health System entered a resolution agreement with the Department of Health and Human Services' Office for Civil Rights in a case involving a series of records snooping incidents. The agreement called for the payment of the fine plus implementation of a corrective action plan (see: UCLA Health System Fined $865,000).
And in 2010, a former UCLA Health System surgeon was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others (see: HIPAA Violation Leads to Prison Term ).