Potential Compromise of 10,000 Patients’ PHI from Stolen Raley’s Pharmacy Laptop

by

Raley’s Pharmacy is notifying about 10,000 patients about the potential compromise of some of their protected health information (PHI). The incident on September 24, 2018 involved the theft of a laptop computer from a Raley’s pharmacy, which possibly contained the PHI of some patients.

Raley’s pharmacy had the incident investigated immediately to find out the details of the information that the device contained. Employees who used the computer were interviewed as a way to know the types of information potentially exposed. The investigators also reviewed the employees’ email accounts and checked the attachments and links within the documents containing ePHI. This is an attempt to find out which files were downloaded or saved in cache files in the laptop’s temporary directory.

After analyzing the investigation results, Raley’s Pharmacy established that security incident only affected the patients who visited a Raley’s, Bel Air, and Nob Hill Foods pharmacy from January 1, 2017 to September 24, 2018 for filling up prescriptions. In addition, the files that were potentially downloaded to the computer containing highly sensitive data including addresses, Social Security numbers, credit card details, and driver’s license numbers were not compromised. The only information compromised in the breach were the first and last names, birth dates, gender, visit dates, location of pharmacy visited, health condition, prescription details, and health plan ID numbers.

Since Health plan/insurance details were potentially exposed, Raley’s Pharmacy advised the affected patients to keep track of their Explanation of Benefits statements for signs of suspicious activity.

In response to the security breach, Raley’s Pharmacy implemented encryption on all laptop computers to stop unauthorized persons from accessing data in case of future theft incidents. The company is still evaluating other security adjustments.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]