updated 11:40 am EDT, Mon March 10, 2014
Intent of theft unknown, patients being informed a month after theft
Medical and personal information for up to 168,500 patients are potentially at risk, following a computer theft in Los Angeles, California. The Sunderland Healthcare Solutions office was broken into on February 5, and computers with the data were purloined. Public notification of the potential data breach started going out on March 6, a month after the theft. Data at risk held on the computers that were taken are patients' full names, Social Security numbers, some medical information limited to diagnoses, birth dates, and addresses.
"We take this incident very seriously and are taking the necessary precautions to protect all patient related information from theft or criminal activity," Sunderland Healthcare Solutions said in a statement released to the public over the weekend. "We and Los Angeles County are actively working with law enforcement."
Torrance police Sgt. Robert Watt wasn't clear if the computers were stolen for the data, or the material worth of the hardware. "It's hard to say what the frame of mind of the suspects was -- did they know what was inside these computers?" he wondered. "That's what we're trying to find out."
The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires agencies like Sunderland Healthcare Solutions to encrypt stored data publicly facing the Internet. The requirements in the law are more lax for "at-rest" data, inaccessible to the public at large and stored behind a firewall and properly mechanically secured. The law requires public notification if data is purloined and unencrypted or if the encryption key is stolen with the data, but does not require the same notification if the data is encrypted prior to loss with no loss of the encryption key. A minimum of AES-128 encryption is required for publicly-facing data.
It has not been made known if the data was encrypted, or what kind of hardware was stolen -- workstations, or servers. Given the volume of the data that has been potentially leaked, the most likely class of device stolen is a server, or servers, as no single workstation should hold that much patient information at once.
"I'm not aware of another breach of this significance ever having occurred," LA County Assistant Auditor-Controller Robert Campbell told the Los Angeles Times, regarding the theft of the eight computers containing the data. Campbell said that the Department of Health was informed of the breach on February 10, five days after the theft.