On September 25, 2013, Kaiser Foundation Hospital in Orange County suffered a data breach due to a missing USB flash drive containing unencrypted patient information. The compromised data included names, Medical Record Numbers (MRNs), and dates of birth, though no Social Security numbers (SSNs) were exposed. The incident was formally reported to the California Office of the Attorney General on November 25, 2013, nearly two months after the breach occurred. The loss of the USB drive posed a significant risk of unauthorized access to sensitive health records, potentially enabling identity theft, medical fraud, or targeted phishing attacks against affected individuals. While the breach did not involve financial data (e.g., credit cards) or full personally identifiable information (PII) like SSNs, the exposure of medical identifiers (MRNs) and demographic details heightened concerns over patient privacy violations and compliance with healthcare data protection laws (e.g., HIPAA). The delay in detection and reporting further exacerbated risks, as the missing device could have been accessed by unauthorized parties during the interim. The incident underscored vulnerabilities in physical data security and the need for stricter controls on portable storage devices in healthcare settings.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-43366
TPRM report: https://www.rankiteo.com/company/scpmgcareers
"id": "scp741082025",
"linkid": "scpmgcareers",
"type": "Breach",
"date": "9/2013",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'Orange County, California, USA',
'name': 'Kaiser Foundation Hospital, Orange County',
'type': 'Hospital'}],
'attack_vector': 'Lost/Stolen USB Flash Drive',
'data_breach': {'data_exfiltration': 'No (physical loss of device)',
'personally_identifiable_information': ['Names',
'Medical Record '
'Numbers',
'Dates of Birth'],
'sensitivity_of_data': 'Moderate (health information without '
'SSNs)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)']},
'date_detected': '2013-09-25',
'date_publicly_disclosed': '2013-11-25',
'description': 'The California Office of the Attorney General reported that '
'Kaiser Foundation Hospital, Orange County experienced a data '
'breach involving missing information from a USB Flash Drive. '
'The breach potentially affected health information such as '
'names, Medical Record Numbers, and dates of birth; however, '
'no Social Security numbers were involved.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of sensitive health '
'information',
'data_compromised': ['Names',
'Medical Record Numbers',
'Dates of Birth'],
'identity_theft_risk': 'Low (no Social Security numbers involved)'},
'post_incident_analysis': {'root_causes': 'Improper handling/securing of '
'physical media containing PHI'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA violation '
'(unsecured PHI)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Kaiser Foundation Hospital, Orange County Data Breach (2013)',
'type': 'Data Breach (Physical Loss of Device)'}