When 168,500 Los Angeles County healthcare patients began to be notified that their personal data had been stolen February 5, County Assistant Auditor-Controller Robert Campbell told the Los Angeles Times, “I'm not aware of another breach of this significance ever having occurred.”
Now, he is.
County officials doubled the number of victims on Thursday, adding 170,200 more to the list for notification letters (pdf). The information from the county Department of Public Health and the Department of Health Services was in eight computers stolen from Sutherland Healthcare Solutions office in Torrance. They are a billing company.
The data included first and last names, Social Security numbers, birth dates, billing information and medical diagnoses. There is no indication the information was encrypted. The California Attorney General’s office likes encryption and noted in a report last year (pdf) that more than half the 2.5 million victims of data breaches it surveyed in the state in 2012 would have benefited from its presence.
There have been no reports that the data has been used for identity theft, but victims aren’t waiting to find out before taking legal action. Three class-action lawsuits have reportedly been filed against the county over the data breach, but judging from the growing victims list, there could be more.
One of the lawsuits, which seeks class-action status (pdf) on behalf of A. Doe, accused Sutherland of negligence for taking a month to notify them of the breach and probably not encrypting the data. The lawsuit demands that the company stop that and give them an, as yet, undetermined amount of money.
Part of the money would be to compensate victims for the suit claims is woefully inadequate security compensation Sutherland offered after it made known the breach. Basically, Sutherland offered free credit monitoring for a year and a toll-free hotline to complain.
Sutherland said a video recorded at the scene shows a man stealing the HP Pro 3400 computer towers and two monitors. The company has offered a $25,000 reward for information leading to the arrest of the culprits or return of the equipment.