Laptop thefts compromise 729, 000 hospital patient files

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.latimes.com/local/la-me-hospital-theft-20131022,0,1936078.story

The health information of 729,000 patients was compromised when thieves
stole two laptops from an administration building of a San Gabriel
Valley-based hospital group, officials said Monday.

The laptops were stolen Oct. 12 and contain data from patients treated at
AHMC hospitals: Garfield Medical Center in Monterey Park, Monterey Park
Hospital, Greater El Monte Community Hospital in South El Monte, Whittier
Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim
Regional Medical Center.

The thieves swiped the laptops from a video-monitored sixth-floor office on
a medical campus that officials said is "gated and patrolled by security."

The suspects broke into the office and stole two password-protected
laptops, they said.

Gary Hopkins, a spokesman for AHMC, said the hospital group called Alhambra
police as soon as the theft was discovered Oct. 14. Security video showed
that the theft occurred Oct. 12.

According to the hospital group, the computers contained data including
patients' names, Medicare/insurance identification numbers,
diagnosis/procedure codes and insurance/patient payment records. Some of
the files contained the Social Security numbers of Medicare patients,
officials said.

There was no evidence the information was accessed or used, but that cannot
be ruled out, AHMC Healthcare Inc. officials said in a statement.

"We regret any inconvenience or concern this incident may cause our
patients," they said in the statement.

AHMC Healthcare had already asked an auditing firm to perform a security
risk assessment and it was following the recommendations, officials said.
Administrators will now expedite a policy of encrypting all laptops, they
said.

Hospital officials said affected patients may want to place fraud alerts on
their credit files and order their credit reports to look for fraudulent
activity.

Under federal law, hospitals are required to report potential medical data
breaches involving more than 500 people. The breach of 729,000 files would
rank as the 11thlargest in the nation when compared to data on the U.S.
Department of Health & Human Services website. In California, two other
medical groups have had larger data compromises involving more patients.

Hopkins said patients with concerns or questions may contact the group at
(855) 977-6678.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.