UCLA Healthcare began notifying blood donors June 5 that a
laptop containing their confidential information had been stolen in
November 2003.
The computer housed data including the social security numbers,
names and dates of birth of those who donated to the UCLA
Healthcare Blood Bank in the past 15 years. The database, which
contains information for about 145,000 individuals, is protected by
password.
The university initially filed incident reports in November with
University police and the Los Angeles Police Department. The laptop
was in a UCLA van in Compton when the incident occurred, and UCPD
is not investigating the case at this time, said Nancy Greenstein,
director of police community services.
UCLA Healthcare did not work to inform donors in a comprehensive
manner until June 5, when it began sending out letters to
individuals whom the situation may affect.
California law requires agencies that keep computerized data on
personal information to notify the owner of that information
“of any breach of the security of the data immediately
following discovery” if the information was or is reasonably
believed to have fallen into the hands of an unauthorized
person.
The definition of personal information under SB 1386 includes an
individual’s first name or first initial and last name in
combination with that person’s social security number.
Michael McCoy, chief information officer for UCLA Healthcare,
said donors weren’t informed when the situation occurred
because police who assessed the situation said the theft was
targeting the laptop, not the data it contained.
The decision to tell donors about the missing information came
after staff reevaluating the university’s compliance with
laws recognized that there had been a breach of personal
information, said Frances Ridlehoover, UCLA Healthcare’s
chief operating officer.
“This case came up as one we needed to go back and look
at. Our disclosure of this information was done because this was a
right thing to do,” she said.
McCoy added that a laptop being used by an analyst at the UCLA
Medical Center was stolen in the past couple of weeks. That machine
contained information on patient accounts, he said.
“The circumstances surrounding this are actually somewhat
different … It was on UCLA property in a business office and in a
somewhat secure area,” he said.
The university is working on figuring out which patients had
their information stored in the computer, and plans to send out
notifications to individuals affected as soon as that process is
complete.
In response to November’s incident and rising concern
about identity theft, UCLA Healthcare is modifying its practices to
further protect information in light of increasing
technology-enabled threats, said Priscilla Figueroa, director of
the division of transfusion medicine.
At the Blood and Platelet Center, changes made since the
November theft include increasing the complexity of password
protection on laptops and encrypting sensitive information.
In addition, only the last four digits of donors’ social
security identification will be listed in the mobile databases.
McCoy said e-mails sent over the past months have directed staff
to keep personal information somewhere other than a laptop. The
messages also advise staff to take special measures ““
password usage and encryption ““ to protect all sensitive
information.
“We do regret the time lag between when the computer was
stolen ““ when we thought the computer was purely a property
loss ““ and when it was recognized it was a loss of data and
patient privacy potential as well,” he said.
The Blood and Platelet Center prides itself on its relationship
with donors, and the possibility of theft discouraging potential
clients from giving is “devastating,” Figueroa
said.
“We’re very distraught about this,” she
said.
“We’re going to do everything that it takes to make
sure (donors’) personal information is secure. We want them
to come back and donate ““ patients who need their blood are
still here. And we don’t want those people to pay for any
mistakes that we made.”