More Data Accessed During Atascadero State Hospital Security Breach
A State Employee Improperly Accessed the Personal Information of Thousands of Patients, Employees, Former Employees, and Job Applicants.
Yesterday, the Department of State Hospitals (DSH) announced the discovery of additional data that had been improperly accessed during the Atascadero State Hospital security breach that was identified on February 25th.
According to the ongoing investigation of the DSH, the additional data consists of personal information including addresses, phone numbers, email addresses, social security numbers, birth dates, and health information related to employment, of approximately 1,735 employees and former employees, as well as 1,217 DSH job applicants.
The newly identified data was discovered during the investigation of the same employee who was found to have improperly accessed approximately 1,415 patient and former patient, and 617 employee names, COVID-19 test results, and health information necessary for tracking COVID-19.
At the time the breach was discovered, the employee’s improper access had been ongoing for 10 months.
DSH is currently investigating the data breach together with the California Highway Patrol and has placed the principal subject of the investigation on administrative leave until the completion of the investigation.
For the time being, DSH says there is no evidence that there has been any use or attempted use of the information compromised by this incident.
In agreement with federal and state privacy laws, this update to the initial report of a data breach was reported to the United States Health and Human Services, Office of Civil Rights, the California Office of Information Security, the California Office of Health Information Integrity, the California Highway Patrol, the California Department of Public Health, and the California Attorney General’s Office. In addition, employees, former employees, and potential DSH job applicants affected by the breach are also being notified.
Earlier this month, the US Department of Justice has warned that hackers are creating COVID-19 vaccine survey scams for consumers. Attackers promise victims money or rewards for filling out the phony surveys. In reality, they just collect the filled-out personally recognizable details to sustain scam plans including identity theft.
However, the Atascadero State Hospital security breach should be a reminder for all organizations that compromises personal information of whatever kind are not only caused by cyber attackers. Let us remember the case of Premier Diagnostics, which was storing sensitive data belonging to individual patients, clinics, schools, and businesses on a publicly accessible server, exposing 50,000 patients’ personal info online.
Taking into consideration all the personal health information being collected by organizations in connection with COVID-19 screening, testing, and vaccination programs, this is not a problem limited to health care employers.