The Los Angeles Times reports on a security breach concerning the privacy of patient data at UCLA Health System. Note that though the hard drive containing the medical data was encrypted, the password was written on a piece of paper near the drive:
The UCLA Health System is warning thousands of patients that their personal information was stolen and they are at risk of possible identity theft, officials said in a statement released Friday.
Officials don’t believe the information has been accessed or misused but are referring patients to a data security company if their name and credit are affected.
Altogether, 16,288 patients’ information was taken from the home of a physician whose house was burglarized on Sept. 6, according to the UCLA Health System. […]
The stolen patient information included first and last names as well as some birth dates, medical record numbers, addresses and medical information, officials said. It did not include Social Security numbers, credit card or insurance details. The patient information was from 2007 through 2011.
The data were on the physician’s external hard drive, officials said. Though the hard drive was encrypted, a piece of paper with the password was nearby and is also missing. The physician notified UCLA the next day and officials began identifying patients affected.
The theft is not the first breach at UCLA. Between 2005 and 2009, hospital officials were repeatedly caught and fired for reviewing, without authorization, the medical records of dozens of celebrities, including Britney Spears and Farrah Fawcett. That prompted a state law imposing escalating fines on hospitals for patient privacy lapses. State regulators later fined Ronald Reagan UCLA Medical Center in connection with privacy breaches involving the records of Michael Jackson.