UCLA Health this week announced that the theft of a faculty member's password-protected but unencrypted laptop has exposed 1,242 patient names, medical record numbers and health information.
The laptop was reported stolen on July 3, 2015, after which a backup was examined to determine what sensitive information may have been on the device. That investigation was completed on August 15, 2015.
UCLA Health says it's "enhancing its security policies and retraining those involved with the incident to help avoid any future similar events," and adds that there's no evidence at this point that any of the data on the laptop has been accessed or misused.
It's been a rough year for UCLA Health, which earlier this year acknowledged that a cyber attack may have exposed 4.5 million people's personal information, including names, addresses, birthdates, Social Security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (medical conditions, medications, procedures and test results).https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Patient privacy and well-being are of paramount importance and UCLA Health deeply regrets any concern or impact this incident may cause," UCLA Health said in a statement. Patients with questions are advised to contact (888) 236-0447.
The U.S. Department of Health and Human Services (HHS) has been aggressively pursuing HIPAA violations linked to laptop thefts for several years now -- Indiana's Cancer Care Group recently agreed [PDF] to pay $750,000 to settle potential HIPAA violations in connection with the theft of an unencrypted laptop and backup drive from an employee's car on on August 29, 2012.
That theft exposed the names, addresses, birthdates, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care Group patients.
According to the HHS Office for Civil Rights (OCR), Cancer Care Group hadn't conducted an enterprise-wide risk analysis at the time of the breach, and had no written policy in place regarding the removal of devices containing protected health information (PHI) from its facilities.
"Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information," OCR director Jocelyn Samuels said in a statement. "Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information."
This eSecurity Planet article offers six tips for stronger encryption.