Personal data of as many as 168,500 patients of Los Angeles County medical facilities may have been stolen in a break-in at a county contractor’s office last month.
A Torrance office of Sutherland Healthcare Solutions, which handles billing and collections for the county’s Department of Health Services and Department of Public Health, was burglarized Feb. 5 and computer equipment was stolen, according to a county statement issued Thursday.
The computers contained data including patients’ first and last names, Social Security numbers and certain medical and billing information, and they may also have included birth dates, addresses and diagnoses.
“I’m not aware of another breach of this significance ever having occurred,” said L.A. County Assistant Auditor-Controller Robert Campbell. The auditor-controller’s office oversees the county’s compliance with federal medical privacy regulations.
Campbell said Sutherland notified county workers overseeing compliance with the Health Insurance Portability and Accountability Act on Feb. 10, but it was not clear at that point how many patients were affected. On Feb. 25, the company confirmed that county patients’ data were stolen, and Thursday it began notifying the affected patients by mail.
Torrance police Sgt. Robert Watt said a Sutherland employee discovered and reported the break-in the morning of Feb. 6. Eight computers and two monitors were stolen, he said. Torrance police investigators are working with the Los Angeles County district attorney’s cyber crime team and with the U.S. Secret Service, which investigates some computer crimes.
No arrests have been made. Watt said it was not clear whether the patient data was the intended target of the burglary or whether it had been used in identity theft since.
“It’s hard to say what the frame of mind of the suspects was — did they know what was inside these computers?” he said. “That’s what we’re trying to find out.”
Patricia Wagner, an attorney for Sutherland, said the company had “privacy and security processes as well as security systems in place” at the time of the theft.
“In response to the incident, [the firm] is reviewing its privacy and security procedures and systems” and cooperating with investigators, she said in an email.
Campbell said the county would look into the contract with Sutherland and procedures that were in place to see whether the breach could have been prevented.
Sutherland set up a toll-free line at (877) 868-9284 so patients can find out if they were affected. It also said in a letter to patients that the company will provide free credit monitoring to people whose information was stolen and support resources to any who are victims of identity theft.