Share this article on:
The victim count from the Sutherland Healthcare data breach has more than doubled from the initial estimate of 168,500 as announced last month. This week the Los Angeles County Department of Health Services (DHS) has announced that an additional 170,200 patients are believed to have been affected by the HIPAA breach.
Thieves gained access to one of the offices of Sutherland Healthcare in Torrance on February 5th and stole 8 computers, which has now been confirmed to have included the protected health information and other personal data of 338,700 individuals.
Sutherland Healthcare has used a public relations firm to release a description of the suspect they believe was responsible for the theft and a reward of $25,000 is being offered for information that leads to the apprehension of perpetrators and retrieval of the stolen equipment and data.
The suspect has been described as a black male of indeterminate age and height and was heavy set. At the time of the theft he was wearing gloves and a dark hat with white insignias, a dark sweatshirt, blue jeans and bright blue athletic footwear. The man had an earring in his left ear and was wearing a large watch. The crime is being investigated by the Torrance Police Department and the District Attorney’s Office as well as the U.S. Secret Service has been assisting. So far the stolen computer equipment has not been located.
L.A County is also conducting an investigation into Sutherland Healthcare to determine whether HIPAA Privacy and Security Rules were broken and if action could have been taken to prevent the data breach and theft.
Breach notification letters were sent out in February to the victims, with the additional patients having now been notified by post advising them of the security breach. All individuals affected by the breach have been offered credit monitoring services for a period of 12 months. L.A County is also undertaking a complete review of its data security policies and procedures, although this is an ongoing process and no information has been released about when the security review is expected to be completed.
Since the announcement about the data breach was made there have been three separate class action lawsuits filed against DHS for privacy and security failures and for not implementing the appropriate measures to safeguard the electronic health records of its patients.