A magnetic tape containing sensitive personal and medical information for up to 2,550 residents and employees of 600 Southern California skilled nursing facilities has gone missing in the mail, state officials said Wednesday.
Kevin Reilly, the California Department of Public Health's chief deputy director for policy and programs, described the breach as "a big and unusual event for us," which resulted from a violation of protocol at the West Covina office. Protocol requires the state to use a private courier instead of the U.S. Postal Service for such sensitive material, but that protocol was sometimes not followed at that office. While individual employees have lost laptops containing small amounts of information, Reilly said, "This is definitely the largest breach of confidential and private information we've had at the Department of Public Health."
The tape contains e-mail addresses, investigative reports and background information on healthcare workers, names of health care facility residents, some medical diagnoses and social security numbers of CDPH employees, facility residents and healthcare workers dating from 2003, state officials said. The information was created or sent to the state Division of Licensing and Certification's West Covina office. "Everything we do out of that office was on the tapes," including potentially sensitive investigative documents regarding health facility violation investigations which may not have included personal information or health records, Reilly said.
Spokesman Mike Sicilia explained that the office primarily deals with investigations of certified nursing assistants at skilled nursing facilities in Southern California but that documents involving a few other types of health facilities may also be on the tape.
The material is unencrypted, but uses a specific magnetic tape system that's not largely available, state officials said.
While there was no evidence to date that unauthorized parties have acquired or accessed the information, "the California Department of Public Health is currently notifying affected individuals," and will "advise each individual about how to protect themselves from identity theft," state officials said in a news release.
The incident occurred when a CDPH office in West Covina, near Los Angeles, sent the tape by way of the U.S. Postal Service 400 miles to the Sacramento central office for backup. CDPH's Sacramento office on Sept. 27 received the mailed envelope "which was reported to be unsealed and empty. CDPH immediately reported the breach of the information Security Office and began an investigation," the state said.
On November 23, 2010, CDPH completed compiling the list of individuals whose medical or other personal information may have been compromised as a result of the loss of the tape. Reilly explained that it took several weeks to evaluate "thousands and thousands of documents" on the tape in order to determine which ones contained someone's personal or medical information.
California imposes fines for such medical information breaches when they occur in health settings, and the penalties are said to be the toughest in the country. For the breach of a one patient's medical record, the fine is $25,000 and for subsequent records, $17,500. As of Nov. 22, the state had fined hospitals $2.2 million for such lapses in patient confidentiality.
State officials said they have instituted policies and procedures "to minimize the likelihood of recurrence and is researching options which would eliminate the need for a backup tape."