Potential Compromise of 10,000 Patients’ PHI from Stolen Raley’s Pharmacy Laptop

Raley’s Pharmacy is notifying about 10,000 patients about the potential compromise of some of their protected health information (PHI). The incident on September 24, 2018 involved the theft of a laptop computer from a Raley’s pharmacy, which possibly contained the PHI of some patients.

Raley’s pharmacy had the incident investigated immediately to find out the details of the information that the device contained. Employees who used the computer were interviewed as a way to know the types of information potentially exposed. The investigators also reviewed the employees’ email accounts and checked the attachments and links within the documents containing ePHI. This is an attempt to find out which files were downloaded or saved in cache files in the laptop’s temporary directory.

After analyzing the investigation results, Raley’s Pharmacy established that security incident only affected the patients who visited a Raley’s, Bel Air, and Nob Hill Foods pharmacy from January 1, 2017 to September 24, 2018 for filling up prescriptions. In addition, the files that were potentially downloaded to the computer containing highly sensitive data including addresses, Social Security numbers, credit card details, and driver’s license numbers were not compromised. The only information compromised in the breach were the first and last names, birth dates, gender, visit dates, location of pharmacy visited, health condition, prescription details, and health plan ID numbers.

Since Health plan/insurance details were potentially exposed, Raley’s Pharmacy advised the affected patients to keep track of their Explanation of Benefits statements for signs of suspicious activity.

In response to the security breach, Raley’s Pharmacy implemented encryption on all laptop computers to stop unauthorized persons from accessing data in case of future theft incidents. The company is still evaluating other security adjustments.