Yet Another Security Incident at UCLA

Stolen Hard Drive Affects 16,000
Yet Another Security Incident at UCLA
Just four months after agreeing to pay an $865,000 penalty for a series of HIPAA violations, UCLA Health System has revealed a breach incident involving the theft of an external hard drive from a former employee's home.

The University of California at Los Angeles Health System is notifying more than 16,000 patients about the Sept. 6 burglary at the home of an employee who left UCLA's staff in July. "Although the information on the hard drive was encrypted, the password necessary to unscramble the information was written on a piece of paper near the hard drive and cannot be located," according to a statement from the medical center. So far, there's no evidence the information has been accessed or misused, UCLA notes. But police say the stolen drive has not been recovered.

Information on the drive, UCLA reports, may have included patient names, birth dates, medical record numbers, addresses and medical record information. Social Security numbers and financial information were not stored on the device. The information on the drive dates from July 2007 to July 2011

UCLA notes that the hard drive belonged to the former employee "who maintained the information on the device in order to perform necessary UCLA job duties."

Reviewing Policies

In the wake of the incident, "UCLA Health System is reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood this will happen again," according to the statement. "In addition, UCLA Health System will provide additional education and awareness to its workforce members regarding the appropriate methods for storing patient information."

The provider organization says it has hired Kroll to offer identity theft consultation and restoration services to patients "if your name and credit are affected by this incident."

In July, UCLA Health System entered a resolution agreement with the Department of Health and Human Services' Office for Civil Rights in a case involving a series of records snooping incidents. The agreement called for the payment of the fine plus implementation of a corrective action plan (see: UCLA Health System Fined $865,000).

And in 2010, a former UCLA Health System surgeon was sentenced to four months in prison after admitting he illegally read private electronic medical records of celebrities and others (see: HIPAA Violation Leads to Prison Term ).


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network