Possible PHI Compromise Might Have Impacted 582,000 Patients of California Dept. of Developmental Facilities

April 26, 2018


The California Department of Developmental Services (DDS) is contacting its 582,174 patients to inform them that their protected health information has probably been undermined.

Last February 11, 2018, some people got into the DDS legal and audits offices in Sacramento, CA. After they got in the thieves possibly had access to the confidential information of about 15,000 workers, freelancers, job candidates, and parents of juveniles who are cured by DDS facilities, along with their PHI. The thieves also took away 12 government computers.

It is not yet clear if the culprits were interested in paper records and all computers taken by the robbers were encrypted so data access was not possible. DDS has certified that none of the office computers were used to gain access to the division’s network and electronic protected health information remained protected continuously.

In the substitute breach notification posted, DDS made reference to the fact that its offices were destroyed and a fire was placed, which activated the sprayer system inflicting damage to CDs and documents.

The way of the vandalism and the damage caused by the fire and sprayer system has made it impossible to infer with 100% confidence whether any information was removed from the offices or if PHI has been undermined.

If PHI was seen or stolen it would have been limited to names, units billed, service dates, service codes, unique state-issued client identifier details, medical records, and amounts paid for facilities.

Law enforcement organizations have been made conscious of the occurrence and the burglary has been examined but the culprits have not been found.

Although it is not supposed that the thieves gained access to the PHI of patients, notices have been sent to affected people out of an abundance of caution and the occurrence has been informed to the Division of Health and Human Services’ OCR.

The HIPAA safety breach is the latest to be submitted to the OCR in 2018, beating the 279,865 -record breach at Oklahoma State University Center for Health Sciences that was submitted in January and the 134,512-record violation at St. Peter’s Surgery & Endoscopy Center, informed in February 2018.