L.A. Breach Linked to Stolen ComputersThousands of County Health Dept. Patients Affected
The recent theft of eight unencrypted desktop computers from a vendor that provides patient billing and collection services to the Los Angeles County departments of health services and public health has resulted in a breach affecting 168,500 individuals.
In a statement posted March 6 on a Los Angeles County website, the vendor, Sutherland Healthcare Solutions, says its Torrance, Calif. office was broken into on Feb. 5 and computers were stolen.
"The police were immediately notified and the investigation is ongoing," the statement notes. "As a result of our analysis, on Feb. 25, we confirmed to Los Angeles County that [patient] personal information was identified as being on the stolen computer equipment."
Information contained on the unencrypted computers included patients' names, Social Security numbers and billing information. In addition, the stolen computers may have also contained the date of birth, addresses, diagnoses and other medical information for some patients.
In response to the incident, Sutherland and Los Angeles County are reviewing the vendor's privacy and security procedures and systems to determine whether enhancements should be made. Sutherland is also providing additional training to its workforce, the company says. Sutherland is working with the Torrance Police and Los Angeles County district attorney during their investigations related to the theft.
The statement posted on Los Angeles county's site also says that the county will be notifying the U.S. Department of Health and Human Services' Office for Civil Rights about the incident. Breach victims are also being offered one year of free credit monitoring services.
Breaches involving the theft or loss of unencrypted devices are the most common incidents appearing on HHS' "wall of shame" website, which lists breaches affecting 500 or more individuals since September 2009.
Business associates have been involved in more than 20 percent of major breaches since 2009.
"Sutherland Healthcare Solutions provides business process outsourcing solutions to clients so it appears that they are a business associate with the LA County health department," notes security expert Brian Evans, a principal of Tom Walsh Consulting. "However, I would expect the organization who owns the compromised data be the one who notifies the breach victims, which appears to be the health department in this case."
Under the HIPAA Omnibus Rule, business associates are directly liable for HIPAA compliance and must notify their covered entity clients of breaches impacting patients' data. But covered entities are responsible for notifying affected individuals. The statement about the breach posted on the LA County website contains Sutherland's letterhead.
While the encryption of patient data at rest is generally advised by HHS, the decision to encrypt isn't always clear cut, some experts says.
"This was a physical theft of machines that were likely in Sutherland's building, so encryption would not likely be the norm," says privacy attorney David Navetta of the information Law Group. "One potential lesson is not to forget physical security - we do see a very high focus and spend related to IT security, but sometimes it is easy to forget what is right under your nose," he says.
"Most organizations do not encrypt their desktop computers because the likelihood of theft can generally be deemed as low," Navetta says."But as this case illustrates, some physical areas have a greater likelihood of theft than others which is why a risk analysis is so important."
Organizations should conduct periodic walk-throughs to ensure their computers are positioned to limit the threat of theft or data exposure, Evans advises.
Another lesson that can be learned from this latest breach "is that the cost to prevent a data breach can often be less than the cost of mitigating one," he adds. "The LA County health department should have previously assessed the risks associated with the surroundings of these computers and analyzed any potential negative impacts identified," he says.
Evans offers another breach prevention tip: "One low-cost way to avoid these types of disclosure issues is to restrict computers so users cannot save to their hard drive and are technically required to store information on networked servers. Virtualizing computers is another solution, which also stores information on networked servers. Servers are typically located in physically secured data centers or rooms making them less susceptible to theft."
Los Angeles County officials did not respond to Information Security Media Group's request for comment on the breach.