Personal and medical data on 168,500 Los Angeles County healthcare patients was stolen February 5 from a private firm handling billing and collections, which 20 days later began sending out notices to those affected.
Sutherland Healthcare Solutions said burglars broke into its Torrance office and stole eight computers and two monitors with data from the county Department of Public Health and the Department of Health Services. The company reported the theft to the county five days after the break-in and started notifying patients, it said, after verifying who was affected and what was lost.
The data included first and last names, Social Security numbers, birth dates, billing information and medical diagnoses. L.A. County Assistant Auditor-Controller Robert Campbell told the Los Angeles Times, “I'm not aware of another breach of this significance ever having occurred.”
Police said they don’t know if the thieves were after the data or even knew what they had. They presumably know now if they pay attention to news reports.
There have been no reports that the data has been used for identity theft.
The letter (pdf) sent by Sutherland to patients assures them that the company takes “patient privacy very seriously,” but doesn’t mention whether it cared enough to encrypt the data. The California Attorney General’s office likes encryption and noted in a report last year (pdf) that more than half the 2.5 million victims of data breaches it surveyed in the state in 2012 would have benefited from its presence.
About 15% of the 131 incidents noted by the AG were in health care. The study did not seek out breaches with fewer than 500 individuals.
The company took the usual steps after the breach was announced and the countdown to lawsuits began: it set up a not-so-hot hotline, began reviewing its security protocols, and offered customers free credit monitoring and advice on how to prevent identity theft.
Last month, a class-action lawsuit was filed against Cottage Health System of Goleta after the confidential medical records of 32,500 patients were exposed to the Internet and were just a Google search away for months.