From their counsel’s notification to the California Attorney General’s Office:
Community Catalysts of California works with developmentally disabled clients and veterans to attain their employment, daily living, and social goals.
On or about August 31, 2015, the residence of an employee of Community Catalysts of California was burglarized and items were stolen including a flash drive. Community Catalysts was notified of the theft on September 8, 2015. The flash drive may have contained the name, address, diagnosis, date of birth, age, gender and/or telephone number for certain of Community Catalysts of California’s current and former clients. The social security numbers for 18 clients may also have been contained on the flash drive. No driver’s license, state identification, health insurance or financial account numbers were contained on the flash drive.
One thousand one hundred and eighty two (1,182) California residents were affected by the incident.
In its letter to affected clients, CCC’s CEO disclosed that the flash drive was in the employee’s car in their locked garage. And by implication, the letter suggests that the employee had not followed policy of using encrypted devices.
Those whose SSN were involved are being offered one year of monitoring and services with AllClearID.
A notification has also been posted to CCC’s web site.
Although some medical information (diagnosis) was involved, CCC does not appear to be a HIPAA-covered entity, and under those circumstances, this incident would not be reported to HHS.