Printed from http://www.electronista.com

LA office theft potentially releases personal info on 168,500 patients

updated 11:40 am EDT, Mon March 10, 2014

Intent of theft unknown, patients being informed a month after theft

Medical and personal information for up to 168,500 patients are potentially at risk, following a computer theft in Los Angeles, California. The Sunderland Healthcare Solutions office was broken into on February 5, and computers with the data were purloined. Public notification of the potential data breach started going out on March 6, a month after the theft. Data at risk held on the computers that were taken are patients' full names, Social Security numbers, some medical information limited to diagnoses, birth dates, and addresses.

"We take this incident very seriously and are taking the necessary precautions to protect all patient related information from theft or criminal activity," Sunderland Healthcare Solutions said in a statement released to the public over the weekend. "We and Los Angeles County are actively working with law enforcement."

Torrance police Sgt. Robert Watt wasn't clear if the computers were stolen for the data, or the material worth of the hardware. "It's hard to say what the frame of mind of the suspects was -- did they know what was inside these computers?" he wondered. "That's what we're trying to find out."

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires agencies like Sunderland Healthcare Solutions to encrypt stored data publicly facing the Internet. The requirements in the law are more lax for "at-rest" data, inaccessible to the public at large and stored behind a firewall and properly mechanically secured. The law requires public notification if data is purloined and unencrypted or if the encryption key is stolen with the data, but does not require the same notification if the data is encrypted prior to loss with no loss of the encryption key. A minimum of AES-128 encryption is required for publicly-facing data.

It has not been made known if the data was encrypted, or what kind of hardware was stolen -- workstations, or servers. Given the volume of the data that has been potentially leaked, the most likely class of device stolen is a server, or servers, as no single workstation should hold that much patient information at once.

"I'm not aware of another breach of this significance ever having occurred," LA County Assistant Auditor-Controller Robert Campbell told the Los Angeles Times, regarding the theft of the eight computers containing the data. Campbell said that the Department of Health was informed of the breach on February 10, five days after the theft.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

IDrive cloud backup and sync service

There are a lot of cloud services out there, and nearly all of them can be used for backing up key files and folders. A few dedicated ...

Asus Chromebook C300

When Chromebooks hit the market back in 2011, consumers didn't know what to do with them. The low-cost laptops, powered by Google's Ch ...

Plantronics BackBeat Pro Bluetooth headphones

Looking for a pair of headphones that can do everything a user requires is a task that can take some study. Trying to decide on in-ear ...

Sponsor

toggle

Most Commented

 
toggle

Popular News