In its second reported data breach this fall, Kaiser Permanente is notifying some 49,000 patients seen at its Anaheim Medical Center that their protected health information has been compromised after an unencrypted USB flash drive containing patient data went missing.

The USB drive, which also had no password protection, was discovered missing Sep. 25, according to patient notification letters sent out Nov. 25. Patient names, dates of birth, medication data and medical record numbers were all contained on the drive. 

"On behalf of Kaiser Permanente, we offer our sincerest apology that this unfortunate incident occurred," wrote Julie Miller-Phipps, senior vice president and executive director of Kaiser Foundation Hospitals Orange County, in the letter. "We assure you that safeguarding your information is one of our highest priorities."

[See also: Kaiser Permanente sends out breach letters after email gaffe.]

Kaiser Permanente also in September notified 670 patients of a HIPAA breach after an emailed attachment containing the protected health information of patients was sent to a recipient outside the Kaiser network. Patient names, medical record numbers, email addresses, employers, phone numbers, department names and appointment dates for health screenings were sent to the recipient. 

HIPAA covered entities and business associates responsible for violating HIPAA privacy and security rules by failing to safeguard patient protected health information could face a potential up to $1.5 million in annual fines. 

This story will be updated.