Riverside County Regional Medical Center

The covered entity (CE), Riverside County Regional Medical Center, reported that on or around June 18, 2014, a laptop computer used with an electromyography (EMG) machine was a lost or stolen. The laptop contained 563 patients’ electronic protected health information (ePHI) and included patients’ names, medical record numbers, dates of birth, ages, genders, patients’ heights and weights, physicians’ names, clinical data, and study reports. The CE provided breach notification to HHS, affected individuals and the media, and also reported the incident to local law enforcement. Following the breach, the CE encrypted the laptop, locked the department during non-business hours, and changed EMG data transfer processes. Additionally, the CE took steps to address gaps in its security management program to further safeguard ePHI, especially after two additional lost or stolen laptops (breach incidents) occurred within a six month period, which OCR investigated jointly with this breach. OCR obtained assurances that the CE implemented the corrective actions noted above and provided technical assistance on the requirements of the HIPAA Security Rule.
Location of breached information: Laptop
Business associate present: No