- Elizabeth Larson
- Posted On
Break-in leads to Behavioral Health Services data breach; police investigation under way
Todd Metcalf, administrator of Lake County Behavioral Health Services, said staff discovered a break-in on the morning of Dec. 6 that had occurred the previous night at the Lake County Behavioral Health Services clinic, located at 7000-B South Center Drive in Clearlake.
Metcalf said the protected health information taken varied by client, and generally included some or all of the following elements: full name; prescribed medication; case number; appointment dates and times; phone number; payments; and amounts due for services received.
One compromised client file additionally contained a full Social Security Number, date of birth, disability status, medical history, substance use history, Medi-Cal beneficiary identification number, and income verification information,” Metcalf said.
Metcalf told Lake County News that the total number of potential individuals compromised is approximately 1,200.
“We have sent state-approved letters to each informing them of the incident,” Metcalf said.
The notices, according to Metcalf, detail the type of information potentially accessed.
Metcalf said the reason for the two-month delay between the break-in and the county’s public report on it was because his agency was unaware of the state’s protocol.
“Rest assured we did our due diligence and reported the incident immediately to the California Department of Health Care Services, but were just made aware of the necessity of a press release last Thursday due to the number of potential clients affected,” Metcalf said.
State civil code, which was updated with new legislation last year, includes numerous protections for consumer and health information and requirements for reporting them.
The California Attorney General’s Office reports that businesses, state and local government agencies that report personal information breaches that involve more than 500 state residents must submit to the state a data breach report.
So far, the Attorney General’s Office’s online searchable breach reports don’t include Lake County Behavioral Health’s incident.
Police investigation under way
Metcalf said the Clearlake Police Department was notified immediately of the break-in.
Based on the investigation so far, the single point of entry was a locked front window that was kicked in, he said.
From there, access was gained through a locked office, resulting in the theft of a locked filing cabinet used for storage of client protected health information, Metcalf reported.
Clearlake Police Chief Andrew White told Lake County News Tuesday that the incident initially was reported to police as a break-in, at which point it wasn’t known that a theft had occurred.
Officers went to the scene to investigate and were unable initially to locate a point of entry but found a point of exit, White said.
White said at the time the break-in was reported in December, his officers dusted for fingerprints but were unable to recover any due to issues with the surface, which he explained can include excessive dust.
It wasn’t until a county press release on the data breach and theft came out on Tuesday morning that White said he became aware that the filing cabinet had been stolen.
“We are unclear at this point as to what caused it not to be relayed to us,” White said.
White said he has since talked to Metcalf and a Behavioral Health staffer and is working with them.
“We’ll be following up on this new information we learned today on the compromised data,” White said Tuesday afternoon.
Metcalf explained that the Clearlake Police Department was informed immediately once Behavioral Health discovered the break-in, however, the missing filing cabinet was not discovered until after the report was made.
“Oddly enough, the filing cabinet is on wheels and is often moved about the building, so that’s why it was not noticed until after the police report was made,” he said.
Clearlake Police Det. Steve Hobb is assigned to the investigation. White asked that anyone with information about the case contact Hobb at 707-994-8201, Extension 321.
Taking new security measures
Metcalf said they’ve had a few recent break-ins, and are now taking a series of new measures to further secure protected health information.
Those measures include relocating any cabinets containing protected health information into a locked room that has no windows, located deep in the interior of the clinic complex, he said.
They’ve also initiated the installation of a security system in the Clearlake building that includes video surveillance and 24-hour monitoring, Metcalf said.
He said an alarm system also is being installed at the agency’s Lucerne clinic to ensure these situations will not happen in the future.
“We’re trying to cover all the bases,” Metcalf said.
Due to the risk of identity theft, White encouraged people to closely follow their credit reports.
For those individuals who are impacted, Behavioral Health encourages them to consider taking immediate action to protect their identity.
Precautions include the following.
Registering a fraud alert with the three credit bureaus:
– Experian: 888-397-3742; www.experian.com
– TransUnion: 800-680-7289; www.transunion.com
– Equifax: 866-349-5191; www.equifax.com
Ordering a free report from all three credit bureaus:
– Ordering online: http://www.annualcreditreport.com/cra/index.jsp .
For those with additional questions, they may contact Vanessa Mayer at 707-274-9101.
Email Elizabeth Larson at This email address is being protected from spambots. You need JavaScript enabled to view it. . Follow her on Twitter, @ERLarson, or Lake County News, @LakeCoNews.