That breach was described by Kevin Reilly, CDPH chief deputy director for policy and programs, "as a big and unusual event for us." It involved a protocol violation at the agency's West Covina office. Instead of using a private courier to transmit the tape, someone sent the tape through the U.S. Postal Service and it never arrived to its destination.
While individual employees have lost laptops containing small amounts of information, Reilly said at the time, "This is definitely the largest breach of confidential and private information we've had at the Department of Public Health."
The tape contained e-mail addresses, investigative reports and background information on healthcare workers, names of health care facility residents, some medical diagnoses and social security numbers of CDPH employees, facility residents and healthcare workers dating from 2003, state officials said.
Chapman said the breach announced on Friday "impacts most current CDPH and California Department of Health Care Services (DHCS) employees, as well as nearly 3,000 employees of the former Department of Health Services," which has been divided into two agencies.
The information contained individual names and addresses in conjunction with varying combinations of social security numbers, ethnicity, birth dates, next of kin and the addresses of those individuals listed as next of kin, and/or information from workers' compensation documents.
Both incidents are ironic because the agency is charged with imposing fines against health providers from which sensitive health and personal data might go missing or become misused.
California has perhaps the strictest laws with monetary penalties against hospitals that allow breach of sensitive medical information, amounting to $25,000 for the first offense and $17,500 for the second and subsequent breaches to a maximum of $250,000. However state law precludes the agency from assessing a monetary penalty against itself.
In a phone interview, Lundeen said his agency regrets the incident and will work to prevent its recurrence. "This is a challenge. This employee had access to the information. But we will undertake some internal safeguards and see what we can do about putting policies or practices in place to prevent such incidents again."
CDPH will offer credit monitoring services to affected individuals as well as a toll free line to answer questions from current and former employees.