On September 24, 2018, a laptop computer was taken from a Raley’s pharmacy that may have held some patients’ private health information.
Raley’s pharmacy swiftly initiated an inquest to discover what information was stored on the laptop in question. Interviews with staff members who had used the device were carried out to try and understand the types of content that may have been impacted. The email accounts of staff members were also reviewed for attachments and links to documents that included ePHI, to determine which files had been downloaded or were stored in cache files in a temporary directory on the device.
After careful reviews, Raley’s Pharmacy was able to deduce that the only patients impacted by the security incident were those that had attended a Raley’s, Bel Air, and Nob Hill Foods pharmacy between January 1, 2017 and September 24, 2018 to have prescription orders fulfilled.
An audit of the files which had possibly been downloaded to the laptop showed that highly sensitive information such as Social Security numbers, addresses, credit card information, and driver’s license details had not been compromised. The breach was restricted to first and last names, gender, birth dates, visit dates, pharmacy location attended, medical condition, prescription information, and health plan ID account numbers.
As Health plan/insurance information has potentially been exposed, impacted patients have been warned to monitor their Explanation of Benefits statements for any sign of illegal activity.
The security incident has lead to Raley’s Pharmacy to adapting encryption on all laptops to stop data access by unauthorized persons should further theft incidents happen. Additional security controls are also being considered.