ASH data breach more extensive than initially reported 

A data breach at Atascadero State Hospital appears to be more severe than state officials initially thought, as the investigation into what happened remains ongoing.

click to enlarge

• File Photo By Steve E. Miller
• BREACH DETECTED The Department of State Hospitals is investigating a data breach at Atascadero State Hospital (pictured) involving the personal information of patients, former patients, and employees.

On March 18, the Department of State Hospitals (DSH) announced that an employee with access to Atascadero State Hospital data servers improperly obtained more than 1,400 patient and former patient names, more than 600 employee names, as well as COVID-19 test results and health information related to COVID-19 tracking. On April 5, the department announced that additional data was accessed in the same breach, including Social Security numbers, addresses, phone numbers, email addresses, dates of birth, and employment-related health information for more than 1,700 employees and former employees, plus more than 1,200 job applicants.

"The newly identified data was discovered during the investigation of the same employee," according to a department statement. "DSH is continuing its investigation of the data breach and has placed the principal subject of the investigation on administrative leave pending completion of the investigation."

The statement added that, at this time, the department has no evidence that the individual used the data.

Ken August, assistant director of the DSH Office of Communications, said via email that protecting sensitive information is a top concern for the department.

"The DSH Privacy and Security Programs regularly review, investigate, and analyze privacy incidents for potential data breaches pursuant to its information and systems and access rights policy and procedure and incident response plan," August wrote. "Additionally, DSH monitors employee access rights to data folders annually, and administrative account access quarterly, to ensure role-based access is maintained for confidential information."

The breach was first detected on Feb. 25, and the investigation so far indicates that the individual started improperly accessing the data 10 months prior.

"The safeguards put in place by DSH's policy and procedure in relation to employee access to data files did not catch the unauthorized actions earlier because they were identical to the actions that the employee was authorized to do when performing their job functions," a FAQ sheet explained. 

The investigation was triggered when an annual department audit identified the atypical actions.

To prevent a similar breach in the future, the department plans to log, monitor, and review administrator access and activity more regularly, the document said.

Whether the breach was intentional and the reason why the individual accessed the files are unknown, the document added. However, the data that the individual accessed was "without any apparent connection to their job duties, indicating a high probability of unauthorized access."

Impacted individuals were informed of the breach within 15 business days of its discovery. Δ