Cedars-Sinai Data Breach in L.A. Much Worse than Advertised

Tuesday, October 07, 2014

When Cedars-Sinai Medical Center announced in August that one its laptops had been stolen in June, officials said the records of 500 patients may have been compromised.

That wasn’t wrong, since 500 is less than 33,136—the new, improved estimate of victims released last week. The records stolen varied depending on the individual, but consisted of “some combination of medical record number, patient identification number, lab testing information, treatment information and diagnostic information. A small percentage of the files also contained the patient's Social Security number or other personal information.”    

The Los Angeles Times said the data includes Social Security numbers of around 1,500 patients, in addition to driver’s license numbers and dates of births for others. The files were on a laptop taken home by an employee who troubleshoots clinical laboratory software problems outside regular business hours.   

“Cedars-Sinai takes the security of our patients' health information very seriously, and has multiple security safeguards in place to protect health information,” hospital chief privacy officer David Blake said in an August statement.

That level of seriousness did not extend to encrypting the computer files despite a hospital policy requiring the higher level of security. The laptop did have a password. “Even a potential data security incident on a single computer, as has occurred here, is not acceptable to us,” Blake wrote. “We apologize.”

The hospital is in the process of making sure all its laptops are, indeed, encrypted. The California Attorney General’s office likes encryption and noted in a report last year (pdf) that more than half the 2.5 million victims of data breaches it surveyed in the state in 2012 would have benefited from its presence. About 15% of the 131 incidents noted by the AG were in health care. The study did not seek out breaches with fewer than 500 individuals.

Even at 33,136 victims, the Cedars breach is small compared to other recent failings. In March, it was revealed that personal and medical data on 168,500 Los Angeles County healthcare patients was stolen February 5 from a private firm handling billing and collections. That number was later upgraded to 330,000.

Medical records are hot commodities on the black market. They can be used for insurance fraud as well as the standard bank and credit card fraud associated with identity theft. But they certainly aren’t the only records stolen.

The Breach Level Index calculates that 2.2 billion records have been stolen worldwide since 2013. JPMorgan Chase was host to the latest and greatest data breach reported to the public. While the Index lists that theft as 1 million-plus, JPMorgan said last week that 76 million records were compromised when its computers were hacked last month. Two weeks ago, the company said the breach only affected 1 million people.

–Ken Broder


To Learn More:

Cedars-Sinai Says Number of Patient Files in Data Breach Much Higher (by Stuart Pfeifer, Los Angeles Times)

Cedars-Sinai Reports Unencrypted Laptop Theft, Data Breach (by Patrick Ouellette, Health IT Security)

Cedars-Sinai Health System Issues Notice of Data Incident (Press release)

Why the JP Morgan Data Breach Is Like No Other (by Jake Swearingen, The Atlantic)

Class-Action Lawsuit Claims “Reckless” Release of 32,500 Hospital Records (by Ken Broder, AllGov California)

Leave a comment