UCLA Health System notifies 16,288 of stolen hard drive
Public notice from UCLA Health System, posted today on their web site:
The UCLA Health System is notifying thousands of patients by mail that on Sept. 6, 2011, an external computer hard drive that contained some personal information on 16,288 patients was among a number of items stolen during a home invasion. Although this information was encrypted, the password necessary to unscramble the information was written on a piece of paper near the hard drive and cannot be located. There is no evidence suggesting that the information has been accessed or misused.
The documents containing information did not include Social Security numbers or any financial information. They did include first and last names and may have included birth dates, medical record numbers, addresses and medical record information. The police were immediately contacted, but so far, the stolen items have not been recovered.
UCLA has engaged Kroll, a global leader in data security, to provide assistance to individuals affected by this incident. Individuals can call 1-855-366-0145 Monday through Friday between 8 a.m. and 5 p.m. (Pacific Time) for information on this matter.
UCLA is reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood of such an incident occurring again. The UCLA Health System considers patient confidentiality a critical part of its mission of providing the highest level of teaching, research and patient care. UCLA’s concern for its patients is absolute, and we deeply regret any breach of patient confidentiality and the stress and concern it might cause our patients.
Frequently Asked Questions:
Q: When did the incident occur and what was stolen?
A: On September 6, 2011, an encrypted hard drive, containing patient information was stolen during a home invasion.
Q: How many individuals’ information was on the device?
A: The information of 16,288 individuals was on the device.
Q: Who did the hard drive belong to?
A: The hard drive belonged to an individual who maintained the information on the device in order to perform necessary UCLA job duties.
Q: What information was exposed in the incident?
A: The information on the hard drive included patients’ first name, last name and at least one of the following: the patient’s date of birth, medical record number, address, and medical information. Identifiers such as the patients’ social security numbers and financial information such as credit or debit card numbers, and insurance coverage information were not included on the hard drive.
Q: Was there a specific time period for the records stored on the device?
A: Yes, the information stored on the device was approximately from July 2007 to July 2011.
Q: Were all my records stored on the device?
A: No. No individual’s complete medical record was stored on the device.
Q: How did UCLA Health System become aware of the incident?
A: The day after the theft, the owner of the hard drive reported the incident to UCLA Health System by telephone.
Q: How did UCLA Health System respond to this incident?
A: UCLA Health System acted immediately by working with the individual on obtaining a copy of the files stored on the hard drive in order to identify individuals impacted by the incident. UCLA Health System then moved quickly to obtain addresses for and notify the individuals. UCLA Health System reported the incident to the US Department of Health and Human Services – Office for Civil Rights.
Q: What is UCLA Health System doing to prevent this from happening in the future?
A: UCLA Health System is reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood this will happen again. In addition, UCLA Health System will provide additional education and awareness to its workforce members regarding the appropriate methods for storing patient information.
Q: Am I at risk for identity theft due to this event?
A: We believe it is very unlikely but there is a possibility. There is no evidence suggesting that your information has been accessed or misused. UCLA Health System has partnered with Kroll to offer you assistance if your name and credit are affected by this incident.
Q: I received a letter notifying me of the incident but the letter has information about Kroll Services. Is this letter a scam?
A: No, the letter is not a scam. The UCLA Health System has hired Kroll to assist with this incident. One of the services Kroll is offering is Identity Theft consultation and restoration services if your name and credit are affected by this incident.
Q: Why wasn’t I notified sooner?
A: The investigation included a review of thousands of documents, in order to identify the impacted individuals. From the information reviewed valid addresses had to be obtained. UCLA Health System worked diligently to complete these tasks as rapidly and thoroughly as possible and to notify affected individuals as quickly as possible.