The protected health information of 582,174 patients of the California Department of Developmental Services (DDS) was potentially compromised. Thieves broke into the legal and audits offices of DDS in Sacramento, CA on February 11, 2018. They had potential access to the PHI of over half a million patients plus the sensitive information of about 15,000 contractors, employees, job applicants, and parents of minors that received DDS services. The thieves also stole 12 units of government computers.
It seemed that the thieves were not interested in paper records while they were in the office. The computers they took were also secured by encryption so they could not possibly access data. DDS confirmed that all electronic protected health information (ePHI) remained secure since the thieves did not use the office computers to access the department’s network.
DDS published a substitute breach notice that explained what happened in its offices during that time when the thieves broke in. They vandalized the office and started a fire, which triggered the sprinkler system to put out the fire. Many documents and CDs became wet and damaged because of that incident. The damage caused by fire and water made it impossible to say with 100% certainty that the thieves took sensitive data from the office or accessed the patients’ PHI.
In the event that the thieves viewed or stole PHI, the information was limited to the following: names, state-issued client identifier numbers, medical records, service dates, service codes, units billed and payment amount for services.
DDS reported the burglary to law enforcement and an investigation was initiated. To date, there were no perpetrators identified. Even if it is very likely that the thieves did not gain access to the patients’ protected health information, DDS still sent notifications to the affected patients as a safety precaution. The incident report was also submitted to the Department of Health and Human Services’ Office for Civil Rights.
This is by far the largest security breach reported to OCR in 2018. Its number of affected individuals is greater than the breach last January at Oklahoma State University Center of Health Sciences that affected 279,865 individuals and the breach in February at St. Peter’s Surgery & Endoscopy Center that affected 134,512 individuals.