- HIPAA Update - http://blogs.hcpro.com/hipaa -

CDPH data breach affects 9,000 state workers

Cheryl Clark, for HealthLeaders Media

For the second time in just over six months, California public health officials late Friday acknowledged a major breach of sensitive health and personal information from within their own agency, this time affecting 9,000 current and former state employees.

The information “was improperly copied to a private hard drive and removed from state offices,” said Ron Chapman, MD, director of the California Department of Public Health. There is, as yet, no indication that the information has been misused or further disclosed, he said.

The agency said the state’s security detection system noticed “unusual activity” on April 5, and prompted CDPH to investigate. The agency “discovered the unauthorized removal of information from state premises by an employee” who is currently on administrative leave until the investigation is complete, according to an agency press release sent out on Friday.

“We regret that the personal information of our employees was compromised,” said Chapman. “We take the breach of any secure documents very seriously and are committed to taking steps to minimize any impact of this action and further strengthen our security policy.”

Asked why the breach took three months to announce, CDPH spokesman Al Lundeen said in a telephone interview Friday that the incident required a lengthy investigation and during that time, the employee involved was barred from having access to sensitive information. The data that was copied was related to Human Resources records and some of it contained information dealing with workmen’s compensation claims.

“This was not accidental. It appears to be an intentional act by one individual,” said Lundeen, who added that state officials are now working with police on the matter.

Last December the same agency was forced to announce [1] that a magnetic tape containing sensitive personal and medical information for up to 2,550 residents and employees of 600 Southern California skilled nursing facilities had gone missing in the mail.

That breach was described by Kevin Reilly, CDPH chief deputy director for policy and programs, “as a big and unusual event for us.” It involved a protocol violation at the agency’s West Covina office. Instead of using a private courier to transmit the tape, someone sent the tape through the U.S. Postal Service and it never arrived to its destination.

While individual employees have lost laptops containing small amounts of information, Reilly said at the time, “This is definitely the largest breach of confidential and private information we’ve had at the Department of Public Health.”

The tape contained e-mail addresses, investigative reports and background information on healthcare workers, names of health care facility residents, some medical diagnoses and social security numbers of CDPH employees, facility residents and healthcare workers dating from 2003, state officials said.

Chapman said the breach announced on Friday “impacts most current CDPH and California Department of Health Care Services (DHCS) employees, as well as nearly 3,000 employees of the former Department of Health Services,” which has been divided into two agencies.

The information contained individual names and addresses in conjunction with varying combinations of social security numbers, ethnicity, birth dates, next of kin and the addresses of those individuals listed as next of kin, and/or information from workers’ compensation documents.

Both incidents are ironic because the agency is charged with imposing fines against health providers from which sensitive health and personal data might go missing or become misused.

California has perhaps the strictest laws with monetary penalties against hospitals that allow breach of sensitive medical information, amounting to $25,000 for the first offense and $17,500 for the second and subsequent breaches to a maximum of $250,000. However state law precludes the agency from assessing a monetary penalty against itself.

In a phone interview, Lundeen said his agency regrets the incident and will work to prevent its recurrence. “This is a challenge. This employee had access to the information. But we will undertake some internal safeguards and see what we can do about putting policies or practices in place to prevent such incidents again.”

CDPH will offer credit monitoring services to affected individuals as well as a toll free line to answer questions from current and former employees.


Cheryl Clark is a senior editor and California correspondent for HealthLeaders Media Online. She can be reached at cclark@healthleadersmedia.com [2]. Follow Cheryl Clark on Twitter [3].