Victim Tally in L.A. Breach DoublesStolen PCs Stored More Data Than Originally Estimated
The estimate for the number of victims affected by a recent breach involving a vendor that provides patient billing and collection services to the Los Angeles County departments of health services and public health has doubled to 338,700 individuals.
When the incident involving the Feb. 5 theft of eight unencrypted desktop computers from a Torrance, Calif., office of Sutherland Healthcare Services was first disclosed on March 6, the total number of victims was said to be 168,500 (see: L.A. Breach Linked To Stolen Computers.)
In an updated statement posted on the websites of the LA County departments, Sutherland says, "After analyzing the information contained on the stolen computers, we identified a group of impacted individuals and on Feb. 25, 2014, we provided that information to Los Angeles County. Since then, we have continued our analysis to determine if other individuals were affected. On March 27, 2014, we provided Los Angeles County with updated information."
The computers contained personal information, including patient names, Social Security numbers, and billing information. In addition, the stolen computers may have included individuals' dates of birth, addresses, diagnoses and other medical information, the statement says.
Affected individuals are being offered one year of free credit monitoring service.
LA County has used Sutherland as a vendor for about 20 years, and has been working with the firm in the aftermath of the breach to address Sutherland's data security, says David Sommers, a county spokesman. The jump in the number of breach victims was "a surprise" to the county, which was unaware that Sutherland was still conducting its forensics investigation into the breach, he says. "We understand the gravity of this."
When unencrypted devices are lost or stolen, it's common for breach victim estimates to change as the investigation continues, says security expert Darren Leroux of WinMagic, a vendor of encryption and other security solutions. "Understanding what was on the stolen device can be a complex process," he says.
"If regular back-ups weren't done, it can be very challenging to try and understand what exactly was at risk or exposed. As they work with the employee and know access rights, etc., they can piece together the type of information that was accessible and stored on the device and that is likely why the numbers grow," Leroux says. "The best way to be more accurate is to do regular system backups, whether it's weekly or daily. But that can be a challenge to implement and can affect system performance and requires a hefty back-end storage infrastructure."
If details of the breach are confirmed by the Department of Health and Human Services' Office for Civil Rights, the incident will be the largest breach reported so far in 2014, according to OCR's "wall of shame" website listing breaches affecting 500 or more individuals since September 2009.Sommers says three class-actions lawsuits have been filed against Sutherland and LA County in the aftermath of the breach. Those include a lawsuit filed in early March, which alleges violations of various California laws, was filed by attorneys for one unnamed plaintiff on behalf of those impacted by the breach (see Class Action Suit Filed In L.A. Breach).