Title: Silicon Valley Eyecare Optometry and Contact Lenses - Public Notice of a Breach, California
Date: 06/15/10
Business Activities: Security - Physical Safeguards, Security - Technical Safeguards, Breach Response
Impact to Subscriber:

A computer server (the "server") was stolen from a medical office; it was stored behind locked doors and protected by security cameras and an alarm system to the police office. It contained personal information on patients, including personal health information, names, addresses, phone numbers, email addresses, birthdates, names of family members, medical insurance information and social security numbers; it was password protected on two levels - a detailed password to access the server and a second password to access the patient data base. Patient files were retrieved as the data base was backed up nightly and an encrypted copy stored off-site.
Authority:
Risk Guidance:
Control Guidance:

Relevance:
Background Facts:
  • Silicon Valley Eyecare Optometry and Contact Lenses (the "Company") experienced a breach of personal health information ("PHI").


Relevance to Business Activities: 

  • security - physical and technical safeguards considerations:
    • the Company's office was burglarized and a computer server (the "server") was stolen:Risk
      • the server:
        • was stored behind locked doors:Control
          • with security cameras;Control and
          • an alarm system to the police office.Control
        • was password protected on two levels:
          • a detailed password to access the server;Control and
          • a second password to access the patient data base.Control  
        • contained personal information on patients, including:
          • names, addresses, phone numbers and email addresses;
          • birthdates;
          • names of family members;
          • medical insurance information;Risk
          • social security numbers;Risk and
          • confidential PHI.Risk

 

  • breach response considerations impacting securityphysical and technical safeguards:
    • the Company published a breach notice on its website, indicating that:
      • the thieves were filmed on its surveillance cameras;
      • its alarm system was activated and police notified;Control
      • it was able to restore the data and retrieve patient records since:
        • its patient data base is backed up nightly;Control and
        • an encrypted copy is stored off-site.Control
      • it had notified all affected individuals within 60 days by letter or an e-mail sent to the most recent address it had on file;
      • no reports had been received of identity theft associated with this incident;
      • affected individuals should protect themselves by:
        • placing a fraud alert on their credit file; and
        • visiting the Federal Trade Commission Identity Theft Center web site for information on identity theft.
      • steps taken to improve security included:
        • installing laminated security windows in the back areas of its office;Control and
        • storing its new server in a metal, locked safe that is bolted to the floor.Control


Source Document:

http://sites.google.com/site/svepublicnotice/Public-Notice  

Privacy Statement · Legal notice