Some 168,500 people are getting HIPAA breach notification letters after unencrypted computers were stolen from the Los Angeles County public health and health services departments, city officials announced Thursday.

 

According to a public notice, third-party billing vendor Sutherland Healthcare Solutions reported a burglary Feb. 5 involving the theft of several unencrypted company computers. 

 

Officials confirmed the computers contained patient Social Security numbers, demographic data, billing information, dates of birth and protected health information, including medical diagnoses. 

 

[See also: Group slapped with $6.8M HIPAA fine and Ready or not: HIPAA gets tougher today.]

 

"We sincerely regret any inconvenience or concern that this matter may have caused you," said Karen J. Pugh, vice president and head of healthcare compliance, at Sutherland Global Services, in a March 6 statement. "We are reviewing our policies and procedures and have provided additional training to our workforce. Los Angeles County is also working with us to review our information privacy and security program and determine whether enhancements should be made."

 

Due to Social Security numbers being involved, Sutherland is offering credit monitoring services for those patients involved.  

 

The Department of Health and Human Services' Office for Civil Rights, the division responsible for investigating HIPAA breaches, has said repeatedly encryption is one of the most basic things providers and business associates can implement to protect patient information.   

 

"Pay attention to encryption," said Susan McAndrew, deputy director for health information privacy at OCR, speaking at HIMSS14 this past month, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses."

 

[See also: HIPAA data breaches climb 138 percent and Behemoth breach sounds alarm for 4M.]

 

Theft currently accounts for the lion’s share of HIPAA privacy and security breaches, McAndrew pointed out, representing some 48 percent of all breaches reported. 

 

HIPAA-covered entities and, now, business associates, have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. And this isn't counting the state and private legal settlements. 

 

To date, nearly 30 million individuals have had their protected health information compromised in a HIPAA privacy or security breach.