Raley’s Pharmacy, associated with the family-owned Raley’s supermarket chain, has announced that up to 10,000 patients may have had their protected health information (PHI) compromised following the theft of a laptop from one of their branches.
The laptop computer was taken from the pharmacy on September 24, 2018 during a “security incident”. Local authorities were information of the incident, and an investigation was launched into the nature of the information which was stored on the device. Staff members were interviewed about how the device was used and what types of security measures were in place to protect any confidential information. Employee’s email accounts were also checked for attachments or information that contained PHI, in case they were logged into those accounts when the laptop was stolen or they information was stored in cache files in a temporary directory on the laptop.
Investigators for Raley’s Pharmacy were able to determine that the only patients affected by the security incident were those that had visited a Raley’s, Bel Air, and Nob Hill Foods pharmacy between January 1, 2017 and September 24, 2018 to have prescriptions filled. It is estimated that this amounts to 10,000 patients.
An analysis of the files which had potentially been downloaded to the laptop confirmed that highly sensitive information such as Social Security numbers, addresses, credit card information, and driver’s license numbers had not been compromised. The breach was limited to first and last names, gender, dates of birth, visit dates, pharmacy location visited, medical condition, prescription information, and health plan ID numbers.
There is no evidence that the patient information has been misused at this point. However, since Health plan/insurance information has potentially been exposed, affected patients have been advised to monitor their Explanation of Benefits statements for any sign of fraudulent activity. If a patient sees any unusual activity on their devices, it is recommended that they contact Raley’s immediately for advice on how to proceed.
The security incident has prompted Raley’s Pharmacy to implement more robust measures to ensure that all of their patient data is adequately secured in accordance with the safeguards outlined by HIPAA’s Security Rule. Encryption is to be placed on all laptops to prevent data access by unauthorized individuals should further theft incidents occur. Additional security controls are also being evaluated.
Most breaches from healthcare organisations arise from cybersecurity incidents. Therefore, emphasis has recently been placed on technical and administrative safeguards such as encryption and two-step authentication. However, the incident at Raley’s shows that physical safeguards should not be underestimated, and circumstances such as the physical theft of a device pose huge threats to the integrity of patient information.