California Correctional Health Care Services (CCHCS) issued a press release on May 13, 2016 outlining the theft of a laptop that may contain Protected Health Information (PHI) for 400,000 prisoners incarcerated between 1996 and 2014. The laptop was password protected; however, it was not encrypted, so the patient information for patients incarcerated within the California Department of Corrections and Rehabilitation during the eight-year period are considered at risk for unauthorized viewing (breaches).

CCHCS does not know if PHI was contained on the laptop or if anything was accessed. This is considered a breach because the laptop was not encrypted, which is a requirement under the Health Insurance Portability and Accountability Act (HIPAA). Encrypting all electronic devices that contain PHI is a crucial practice for all health care organizations because even if a device is password protected, the password can be cracked fairly easily with the proper tools.

With the estimated number of affected prisoners at 400,000, CCHCS had to follow specific HIPAA breach-notification requirements. CCHCS was required to notify the OCR, large media outlets and the patients potentially affected by the breach. They also had to post the press release detailing the breach on their website. According to HIPAA, health care organizations must notify the media when a breach affects more than 500 individuals.

In the release, CCHCS states that actions were taken immediately after the theft was discovered. CCHCS provided additional training for their employees and corrective action for the employee who lost the laptop. CCHCS also stated that they plan to review their policies and update them as necessary; a response required by the OCR and HIPAA regulations when a breach occurs. The release does not state that CCHCS is offering credit protection services.

Encrypting and tracking devices are important steps to keep in mind when working through a HIPAA risk assessment. Health care organizations should keep an inventory for all mobile devices, and in the inventory, they should track the type of information on the devices. Devices should be password protected, possibly even with multi-factor authentication, and be encrypted.

To learn more about these compliance requirements and ways you can better protect PHI, use HIPAAgps to conduct your security risk assessment and training.