Stolen UCSF Laptops Contained PHI of Research Participants
The University of California San Francisco (UCSF) has announced the burglary of a faculty member’s office involved the theft of a laptop computer contained the unencrypted, protected data of a number of individuals. The information included research and health information along with Personally Identifiable Information (PII) and medical insurance details.
The burglary occurred in May, with thieves gaining access to the office of a faculty member of the Cardiac Electrophysiology & Arrhythmia Service. UCSF discovered the theft, and potential data breach, on May 6, 2015. After conducting an investigation UCSF determined that the data stored on the laptop included names, dates of birth, medical record numbers, and health insurance Identification numbers. No Social Security numbers or financial information were exposed, although UCSF’s investigation revealed that 435 individuals had their health information compromised.
In the notice placed on the University website, the incident is stated to have involved the theft of a laptop computer. However, the notice says “UCSF promptly began an extensive technical analysis to identify what information was on the laptop. The analysis revealed that the computers contained some personal information,” It is not clear if more than one computer was stolen in the incident.
Individuals affected by the breach are being notified by post that their information has potentially been compromised, although no evidence has been uncovered to suggest any information has been used inappropriately.
Often it takes some months before criminals use stolen data to commit crimes, so breach victims should exercise caution and check their credit frequently. To do this, individuals can obtain a free report from each of the main credit bureaus; Equifax, Experian and TransUnion, once every 12 months. Credit monitoring services should be activated, if they are provided and Explanation of Benefits statements should be obtained and checked for irregularities, since health insurance information was compromised.
In the breach notice, UCSF announced that “The university is committed to maintaining the privacy of personal, research and health information, and has taken additional steps to secure that information, including strengthening administrative, technical and physical processes for information security. “
UCSF has suffered a number of data breaches in the past, with 2014 starting particularly badly. UCSF Medical Center suffering three data breaches in just four months. The last breach, taking place at the medical center on March 6, 2014, involved unencrypted computers being stolen from the center.
According to esecurityplanet, after the third breach in 2014, it was announced that “The University of California is committed to maintaining the privacy of personal information and has taken additional steps to secure that information, including strengthening our educational and operational processes for information security,”
It is not clear what protections the University put in place, but these did not extend to data encryption. Data encryption is one of the most secure methods of safeguarding data, and in the case of portable device theft, it prevents a reportable data breach from being suffered and ensures patient privacy is not compromised.
