L. A. County to Increase Data Encryption as 3.5K More HIPAA Breach Victims are Identified
L.A County has recently announced that the Sutherland Healthcare HIPAA breach has also affected patients who had previously received Medi-Cal services. This is the second time the number of potential victims has been increased since the February 5th data breach at Sutherland Healthcare’s Torrance facilities was first reported.
In March this year, Los Angeles County announced that the theft of 8 computers resulted in the exposure of medical records and personal information of 168,500 patients. Less than a month later the number of potential victims doubled, then the forensic investigation determined that the medical records of a further 170,200 patients were stored on the computers. The latest announcement adds a further 3,497 patient records bringing the total number of potential victims to 342,197; making it one of the largest HIPAA data breaches to occur this year.
The data breach was reported to the Office for Civil Rights of the Department of Health and Human Services which will be conducting an investigation into the data breach to determine whether it could have been prevented, and to determine whether Los Angeles County and Sutherland Healthcare fulfilled their obligations under HIPAA Privacy and Security Rules.
If the OCR discovers that an organization has neglected to implement the appropriate physical, technical and administrative safeguards to protect the electronic health records of its patients it has the power to impose sanctions and stiff financial penalties. An action plan is devised by the OCR in cases where there have been HIPAA violations to ensure that all compliance issues are identified so that any risks can be effectively managed.
Los Angeles County has already stated that it is undertaking a review of its policies and procedures following the data breach to determine where security can be improved. According to the L.A Times, a spokesperson for DHS said the break-in and theft “alerted us to some necessary security measures” which are now in the process of being implemented.
One of the additional security measures that will be implemented is the encryption of all laptop computers and desktops containing patient data, in addition to encryption services for data in transit between L.A County DHS and its contractors.