Employee Retaining Stored Patient List on Personal Laptop Triggers Data Breach Obligation

An employee of East Bay Perinatal Medical Associates in Oakland, CA, retained on his personal laptop, a patient list that he had prepared as part of his job. The list did not contain PHI information but it did contain PII information. The Berkley Police discovered the list during an unrelated investigation and notified EBPMA that it was on the computer. This action — alone — was sufficient to trigger the notification requirement of the California data breach notification law, at great expense and frustration for EBPMA.

Do you still think that your company isn’t at risk for a data breach? If so, go ahead and get familiar with the image below — this is the first page of the template for the notification that EBPMA had to send out!


This site uses Akismet to reduce spam. Learn how your comment data is processed.