By JOSH FRIEDMAN
In addition to accessing health information, social security numbers and other personal information belonging to Atascadero State Hospital patients, workers and job applicants, an ASH information technology employee also improperly accessed the immigration backgrounds of individuals affiliated with the facility.
The Department of State Hospitals (DSH) in March acknowledged the ASH information technology worker accessed health information, including coronavirus test results, belonging to approximately 1,415 current and former patients and 617 staffers. The hospital employee who accessed the information had access to ASH’s data servers as part of his or her jobs.
Last month, DSH disclosed the employee also improperly accessed personal information, including addresses, phone numbers, email addresses, social security numbers, dates of birth and health information, of approximately 1,735 current and former employees, as well as 1,217 job applicants who never ended up working for ASH.
Then on Tuesday, DSH announced it discovered additional data the employee improperly accessed. The additional data consists of immigration information for 38 unspecified individuals; dates of birth and the last four digits of the social security numbers of approximately 20 individuals; and 80 individuals’ personal information, including addresses, phone numbers, email addresses, social security numbers, dates of birth and driver’s license numbers. Furthermore, the information technology workers accessed health information belonging to a combined total of 81 DSH employees, former employees and job applicants who never worked for California state hospitals.
DSH officials discovered the data breach on Feb. 25 as part of the agency’s annual review of employee access to data folders. DSH is investigating the breach with assistance from the California Highway Patrol.
The staffer who accessed the personal and health data remains on administrative leave, pending the outcome of the investigation. Thus far, investigators have obtained no evidence indicating the employee used or attempted to use the information compromised in the data breach.