DHS, City of Hope Impacted By Breach
A huge breach involving the personal data of some 173,900 patients in Southern California has affected both the Los Angeles County Department of Health Services and at least one private hospital operator, officials have disclosed.
The county DHS and the Department of Public Health said that the theft of eight computers from a Torrance branch office of billing giant Sutherland Healthcare Solutions on Feb. 5 may have compromised the data of as many as 168,500 county residents who receive healthcare services through Medi-Cal and other county programs.
Additionally, City of Hope, the Duarte-based specialty cancer hospital, announced earlier this week that two of the purloined computers contained data on about 5,400 of its own patients. All of the patients were either enrolled in Medi-Cal, Medicare or health plans that supplemented their Medicare coverage.
The stolen data included names, Social Security numbers and billing information. Birth dates and medical information may have also been included. Officials say there has yet to be any attempted misuse of the information on the computers.
A City of Hope spokesperson and an attorney for Sutherland confirmed that the stolen desktop computers had not been encrypted, a safeguard industry observers say is often undertaken with laptop computers but is not as commonplace with desktop models. Encryption bars users from accessing the computers without the correct password. Without a password, the device’s hard drive usually has to be erased in order for it to function properly again.
A once costly practice, encrypting most computers requires just a few changes on the main settings panel and the use of a password and rarely takes more than a few minutes to achieve. In most instances, the loss of encrypted patient data is not considered a privacy breach under federal law.
“Here, the physical safeguards protecting the desktop computers at issue included both a locked steel door and a locked steel-reinforced door,” said Patricia Wagner, an attorney with the Washington, D.C. firm of Epstein Becker Green who represents Sutherland.
Wagner added that Sutherland has since encrypted its desktop computers and secured them to desks with steel cables.
The potential breach of patient records is the second largest in California involving the theft of desktop computers. The largest such breach involved a 2011 incident at Eisenhower Medical Center in Rancho Mirage, which compromised the security of more than 514,000 patient records, according to data from the U.S. Department of Health and Human Services.
The largest threat to patient data in California also occurred in 2011, when Woodland Hills-based insurer Health Net reported that nine server drives from its data center in Rancho Cordova went missing. The drives contained records of 1.9 million patients, including about 845,000 Californians. It was the third-largest patient data breach that has been reported to date.
The Sutherland theft would be the fifth largest in California to date. Any potential breach of 500 patient records or more requires mandatory reporting to the HHS.
Wagner did not say whether other providers may have been affected by the breach.
City of Hope said in a statement it has suspended its relationship with Sutherland, with which it has contracted fairly recently, according to spokesperson Tami Dennis.
“We will be investigating Sutherland’s compliance” with its contract, Dennis said.
By holding sensitive patient information, Sutherland undertook the role of a “business associate,” a non-healthcare entity that handles some business of a medical provider. Business Associates are held to the same rigid standards of safeguarding patient data are providers are under the Health Insurance Portability and Affordability Act, a federal law that has been on the books since 1996.
However, a study released this week by the Ponemon Institute, a Michigan think tank devoted to patient privacy issues, has concluded that few healthcare providers are wholly confident in the ability of business associates to safeguard data. Only 30% of those surveyed were “very confident” or “confident” that their business associates were appropriately safeguarding patient data. Only 31% were only “somewhat confident,” and 39% were not confident at all.
“Our recent study...shows insecure business associates are a big worry for healthcare practitioners,” said Larry Ponemon, founder of the Ponemon Institute. He added that data from other surveys suggest that healthcare entities are not adopting encryption technologies at rates higher than other sectors, despite the risk of breaches of confidential data.
Despite the shaky confidence experssed by the healthcare entities surveyed, more say they are relying on business associates than in prior years. Meanwhile, the number of thefts involving patient data has doubled over the past four years, according to the study.
The study was sponsored by ID Experts, an Oregon-based security firm that specializes in patient data issues. It was hired by L.A. County DHS to notify patients potentially affected by the breach and to provide them services protecting them from identity theft.
