AAPL Stock: 117.81 ( -0.22 )

Printed from

LA office theft potentially releases personal info on 168,500 patients

updated 11:40 am EDT, Mon March 10, 2014

Intent of theft unknown, patients being informed a month after theft

Medical and personal information for up to 168,500 patients are potentially at risk, following a computer theft in Los Angeles, California. The Sunderland Healthcare Solutions office was broken into on February 5, and computers with the data were purloined. Public notification of the potential data breach started going out on March 6, a month after the theft. Data at risk held on the computers that were taken are patients' full names, Social Security numbers, some medical information limited to diagnoses, birth dates, and addresses.

"We take this incident very seriously and are taking the necessary precautions to protect all patient related information from theft or criminal activity," Sunderland Healthcare Solutions said in a statement released to the public over the weekend. "We and Los Angeles County are actively working with law enforcement."

Torrance police Sgt. Robert Watt wasn't clear if the computers were stolen for the data, or the material worth of the hardware. "It's hard to say what the frame of mind of the suspects was -- did they know what was inside these computers?" he wondered. "That's what we're trying to find out."

The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires agencies like Sunderland Healthcare Solutions to encrypt stored data publicly facing the Internet. The requirements in the law are more lax for "at-rest" data, inaccessible to the public at large and stored behind a firewall and properly mechanically secured. The law requires public notification if data is purloined and unencrypted or if the encryption key is stolen with the data, but does not require the same notification if the data is encrypted prior to loss with no loss of the encryption key. A minimum of AES-128 encryption is required for publicly-facing data.

It has not been made known if the data was encrypted, or what kind of hardware was stolen -- workstations, or servers. Given the volume of the data that has been potentially leaked, the most likely class of device stolen is a server, or servers, as no single workstation should hold that much patient information at once.

"I'm not aware of another breach of this significance ever having occurred," LA County Assistant Auditor-Controller Robert Campbell told the Los Angeles Times, regarding the theft of the eight computers containing the data. Campbell said that the Department of Health was informed of the breach on February 10, five days after the theft.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented