Update to Sutherland breach

Add 3,497 more Los Angeles County patients to the over 220,000 affected by the Sutherland breach previously noted on this blog. Update: The L.A. Times notes the total count for this breach is now up to about 342,000.

Sutherland Healthcare identifies additional patients to notify of breach (UPDATED)

Sutherland Healthcare Solutions, who disclosed a breach affecting over 220,000 patients in California, discovered that additional patients had information on the stolen computers and is now sending them notification letters. Update: Abby Sewell of the Los Angeles Times reports: Los Angeles County officials said Thursday that 170,200 additional victims have been identified in a theft of medical data from a county contractor’s office. The total number of county patients affected now stands at 338,700. The data was stored on eight computers taken in a February break-in at the Torrance office of Sutherland Healthcare Solutions, a company that handles medical billing and collections. […]

Update: Sutherland Healthcare Solutions breach affected over 220,000 patients, and counting (update1)

Well, I tried to warn Sutherland Healthcare Solutions that they shouldn’t let their breach dribble out and stay in the news cycle, but they declined to be more transparent. So now we have yet more news about their recent breach that affected  more than 168,000 patients of Los Angeles County departments of Health Services and Public Health as well as an as-yet undisclosed number of patients at City of Hope.  Now Maura Dolan reports: Records for nearly 56,000 San Francisco patients, some with Social Security numbers, were stored in computers stolen last month from a medical billing firm in Torrance, said San Francisco’s Department of Public Health on Friday. “We are working to ensure that all patients are notified and provided with resources to help them protect their privacy,” said Barbara Garcia, San Francisco’s health director. Most of the San Francisco patients whose records were stolen were uninsured and visited the city’s public health offices, including San Francisco General Hospital and Trauma Center, between August 2012 and November 2013, the department said. Read more on L.A. Times. The incident is not yet up on HHS’s public breach tool, which may be the only way we get a full count on how many entities and patients have been affected. Update 1: San Francisco General Hospital & Trauma Center’s notification letter, issued by the San Francisco Department of Health/San Francisco Health Network, is available online (pdf).

Sutherland burglars snagged City of Hope patient data (updated)

Among those affected by the burglary at Sutherland Healthcare Solutions were an undisclosed number of City of Hope patients. You can read City of Hope’s notification letter on the California Attorney General’s website. Patient information on the unencrypted computers included patients’ names, Social Security numbers, addresses, phone numbers, medical record numbers, account number and/or diagnoses. City of Hope noted that their contract with Sutherland incorporated strict privacy standards, and as a result of this incident, they have suspended business with Sutherland. Although Sutherland’s notice offered those affected free credit monitoring services through ID Experts, City of Hope’s letter offers its patients services through Kroll. Sutherland did not return a phone call from PHIprivacy.net yesterday asking them to clarify whether the 168,000 figure for Los Angeles County patients represented all patients who personal information may have been on the stolen computers. Update: A spokesperson for Sutherland confirmed that the 168k figure only applied to the L.A. County health system and did not include other entities that may have been affected by the breach, such as City of Hope. So the final number on the Sutherland breach is as yet unknown, as they did not disclose how many other covered entities may have been affected by this breach.

Appellate Court Partially Revives Medical Data Breach Class Action

Cheryl Miller reports the latest development on litigation stemming from a 2014 data breach at Sutherland Healthcare Solutions. If that incident doesn’t ring a bell for you, it was covered a number of times on this site back in 2014 and you can find coverage linked from here.  A state appellate panel on Monday partially reinstated a class action complaint against Los Angeles County and a Southern California medical billing company that lost eight computers containing customers’ personal information in a 2014 theft. The Second District Court of Appeal said six affected individuals can pursue negligence claims on behalf of a class against the county and its contract payment processor, Sutherland Healthcare Solutions Inc. […] The three-justice panel did, however, agree with the trial court that the plaintiffs’ claims under the California Confidentiality of Medical Information Act should be dismissed. Read more at Law.com.

Threat actors claim to have attacked City of Dade City, Florida

From the this-doesn’t-bode-well department: Avaddon threat actors claim to have attacked the City of Dade City, Florida.  Although the city has not made any statement either denying or confirming any attack at the time of this posting, the attackers did post  some screenshots  of directories and files that seem consistent with their claims. The attackers also threaten to start dumping data in 4+ days if the city does not cooperate. We appeal to the mayor of the Dade City Camille Sutherland Hernandez If you do not care about the leak, then think about the leakage of personal information of all employees of the police station as well as the municipality, we have many documents that will interest many. Don’t be a bad boss. More than one of the screenshots does relate to the police department and the filenames suggest that some of the files deal with personnel issues such as complaints, injuries, and other issues that occurred in previous years. A Google search confirmed that at least one of the officers’ names in the list had been a Dade County Police officer at the time of the filestamp. But even if the attackers acquired old, and potentially embarrassing,  files with personnel matters, that doesn’t mean that the city will give in to extortion demands. As of the time of this posting, DataBreaches.net has received no response to an email sent to the city, but notes that the web site for dadecityfl.com appears to be offline.  This post will be updated if a statement is received. Dec. 22 update:  The City of Dade sent this site a copy of their statement of December 8.  Other than acknowledging that there was an attack and impact, it doesn’t really add anything new to what we know so far.  DataBreaches.net will continue to update this case as updates become available. July 23, 2021 update:  On July 21, external counsel for the City of Dade notified the Maine Attorney General’s Office that 934 people were being notified of this incident. According to their counsel’s notice, the breach occurred on November 22, 2020, and was discovered on June 28, 2021. That discovery date is obviously questionable as they already acknowledged discovery of the breach last year. They seem to be trying to claim that the date they discovered PII was involved is the date of discovery, when discovery should be the date that any reasonable entity would know or have reason to believe that there had been a breach.  

NAIC Task Force Releases Revised Draft Insurance Data Security Model Law

John S. Pruitt, Mary Jane Wilson-Bilik and John Allen Zumpetta of Sutherland Asbill & Brennan LLP write: On August 17, the National Association of Insurance Commissioners (the NAIC) Cybersecurity (EX) Task Force (the Task Force) released for comment a revised draft Insurance Data Security Model Law (the Model Law). This Model Law purports to “establish exclusive standards . . . for data security and investigation and notification of a data breach” for “any person or entity licensed, authorized to operate, or registered” pursuant to an enacting state’s insurance laws. When first presented in April, the Model Law generated more than 40 comment letters from trade associations, market participants and regulators. It also was the subject of a spirited discussion at the Spring National Meeting and a two-day interim meetingin which interested parties and regulators discussed issues raised by the Model Law. Read more on Lexology.

Another lawsuit filed under CMIA fails

One of the larger breaches in 2014 involved a Los Angeles County contractor, Sutherland Healthcare Solutions. The theft of some of their computer equipment with unencrypted patient identity and clinical information was disclosed in March 2014, and within days, a potential class action lawsuit had been filed. The breach impacted approximately 3420,000 patients  of the Los Angeles County departments of Health Services and Public Health  as well as patients at City of Hope Hospital and San Francisco General Hospital and Trauma Center. But as we’ve seen in other California cases involving Eisenhower Medical Center, Alere Home Monitoring, and Sutter Health, simply demonstrating a breach involving confidential information occurred is not enough for patients to prevail in any lawsuit under the state’s Confidentiality of Medical Information Act.  The courts have held that the plaintiffs need to demonstrate that at the very least, the data were actually exposed to others (i.e., viewed by others), and not just stolen. So it should come as no surprise that on Friday, a judge indicated she would dismiss the lawsuit against Los Angeles County and Sutherland if the plaintiffs can’t demonstrate that the medical information was actually exposed. Law360 has the story, but you’ll need a subscription to access it. Note that this case appears to still be open on HHS’s breach tool, although for some reason, the number affected is reported as 55,900.

Latest update to HHS breach tool discloses previously unknown breaches

HHS has another big update to their public-facing breach tool. While many of the incidents they have added have already been noted on this blog, there are some ones that have not been mentioned here previously. Here are the incidents we did know about already (links are to previous coverage of the incident on PHIprivacy.net): Iowa Department of Human Services City of Hope, who was impacted by the Sutherland Healthcare Solutions breach, reported that 5,400 of their patients were affected. University of California – San Francisco Maryland Developmental Disabiilties Administration reported that 13,900 were affected by a hack at Service Coordination Inc.. Their report did not name the business associate, and the number affected is larger than Service Coordination’s statement indicated. Valley View Hospital Association Berea College reported their failure to obtain a signed business associate agreement as affecting 1,000. University of Kentucky UK HealthCare Orlando Health  Jewish Hospital  Franciscan Medical Group  Palomar Health  Midwest Orthopaedics at Rush  Texas Health and Human Services Commission reported the EveryChild, Inc. breach. State Long Term Care Ombudsman’s Office, Michigan Department of Community Health  County of Los Angeles reported the Sutherland Healthcare Solutions breach. Clinical Reference Laboratory reported that 979 patients were affected by their breach. Turning to the breaches we didn’t know about already: McBroom Clinic in Texas reported that a January 2014 breach involving TMA Practice Management Group affected 2,260 patients. I was able to locate a copy of their substitute notice, published in the Fayette County Record on March 18, 2014:  Attention Patients of McBroom Clinic: An incident has occurred that may involve your personal information. In early January 2014, the McBroom Clinic asked a company to help us with a practice audit. We gave this vendor access to limited patient information in accordance with HIPAA and Texas requirements. This information included insurance coverage and payment data, some of which was sent to the vendor on a portable USB flash drive. The vendor received the information on January 9, 2014, but did not see the USB flash drive in the package and discarded it with the packaging in line with their disposal procedures. We learned of this inadvertent disposal on January 17, 2014, when the vendor asked for another copy of our information. When we asked, the vendor said they had not seen or accessed the USB flash drive. As soon as we learned the vendor had disposed of the USB flash drive, we conducted an investigation and determined that your information could be accessed if the USB flash drive were found by anyone. Information for a limited number of patients was contained on the USB flash drive. We know the group of patients from which we prepared the information, but we do not know if your information was actually on the USB flash drive. We also do not know if the information on the USB flash drive has been accessed or compromised. Because the USB flash drive was thrown away, we believe the risk that someone accessed your personal information is low. But to be safe, we are notifying you of the possible breach of your information. The privacy and safety of your information is important to us. We will encrypt transmission of electronic data from now on to protect against future security breaches. Please monitor your bank accounts and credit card information to safeguard against the unauthorized use of your information. If you are among the group of patients whose information may have been copied to the USB flash drive, you will receive individual notice from the McBroom Clinic. This notice will include information from AllClear ID, the company we have asked to help with identity theft protection for you. Please call us at (877)313-1394 if you have any questions. Thank you for your patience and understanding. McBroom Clinic, Dr. Borgstedte, Dr. Blackwell, Dr. McBroom, and Staff QBE Holdings, Inc. was also affected by the StayWell Health Management breach noted previously on this blog. They report that 1,746 were affected by the incident. Blue Cross and Blue Shield of Kansas City  reported that 2,546 were affected by a breach on August 16, 2013 that involved “Unauthorized Access/Disclosure,Other.” I could find no information on their web site about this incident. NOVA Chiropractic & Rehab Center in Virginia reported that 5,534 patients were affected by a January 30th breach. A HIPAA notice dated March 25, linked from their homepage says: We take patient privacy very seriously, and it is important to us that you are made aware of a potential privacy issue that was discovered on January 30, 2014. An unencrypted thumb drive that was used to transfer older electronic records was misfiled and presumed to have been put back into regular office circulation or was inadvertently wiped clean or even disposed of. In most cases the information contained in the record was your name, address, and the health records from the office. In some cases social security numbers, date of birth, diagnosis, insurance claim forms and payment information including expired credit card information were also included. Please rest assured that your health information is intact and our office still has your important records. The likelihood that there indeed was a breach of information is extremely low. If you have concern about this issues please call the toll-free numbers of any of the three major credit bureaus (below) to place a fraud alert on your credit report. This can help prevent an identity thief from opening additional accounts in your name. All three bureaus will provide you a copy of your credit report free of charge. When you receive your credit report, examine it closely and look for signs of fraud, such as credit accounts that are not yours. Continue to monitor your credit reports. Equifax: (888)766-0008; www.fraudalerts.equifax.com. Experian: (888) 397-3742; https://www.experian.com/fraud/center.html TransUnion: (800) 680-7289 http://www.transunion.com/personal-credit/credit-disputes/fraud-alerts.page; We are investigating how this breach happened and are committed to mitigating any harm as a result of this issue by interviewing people that were involved in the electronic back up process at our office and taking inventories of all of our electronic storage devices. To protect against such breaches in the future, we are only using encrypted drives and password protected devices. We are taking a very proactive and precautionary approach to the privacy of our patients but feel that it is better take an abundance of caution to these kinds of issues. Please do not hesitate to contact us with any questions about this incident. Our address is 880 W. Church Rd. […]

Where there's a breach, there's a lawsuit

Abby Sewell reports: A patient whose personal information was stolen in a break-in at a medical billing contractor’s office in Torrance has filed a class-action lawsuit against the company and Los Angeles County. Two Los Angeles law firms filed a complaint Friday in Superior Court. The suit was initially filed on behalf of a single patient whose name was not disclosed, but seeks class-action status. An office of Sutherland Healthcare Solutions, which handles billing and collections for the county’s Department of Health Services and Department of Public Health, was burglarized Feb. 5 and computers were stolen. Read more on L. A. Times.