Medical group: Data on 185,000 people was stolen

A California medical group is telling nearly 185,000 current and former patients that their financial and medical records may have been exposed following the theft of computers containing personal data.

Given the number of people affected, the theft from the San Jose Medical Group ranks among the largest in the nation. It follows a rash of other breaches that have raised concerns about the security of sensitive information.

The theft occurred after the San Jose Medical Group had copied patient and financial information from its secured servers to two local PCs, said Mike Patel, vice president of information technology for the San Jose Medical Group.

The data, some of which was encrypted, was part of a patient billing project and also part of the medical group's 2004 year-end audit, Patel noted.

On March 28, during the early morning hours, the building was broken into and the medical group's two new Dell computers were stolen.

"We believe they were stolen because of the kind of computers they were and not because of the information," Patel said, noting that there have been no reports of patients' personal or financial information having been compromised.

Ironically, the medical group earlier this year began the process of encrypting its patient and financial information. It had not completed the process when the two PCs were stolen.

"We started to encrypt things this year because of (medical regulations), ID theft reports and security regulations," Patel said.

As a security measure, the medical group has historically stored its information only on the secured servers, where employees have only limited access to the computers and the information can only be accessed via the network.

Under the Security Breach Information Act of California, companies and organizations are required to notify people when their personal information may have been stolen.

The San Jose Medical Group began notifying patients on Tuesday, nine days after the break-in, Patel said. He noted that it took some time to gather the necessary information for notices and then distribute them to the thousands of patients who were affected.

Since the burglary, the medical group has taken steps to shore up the physical security of the building with surveillance cameras and other measures, Patel said.

The incident is certainly not the first of its kind. Last month, the University of California, Berkeley, warned 98,000 people that their personal information may have been exposed following the theft of a laptop from its admissions office.

That theft, however, paled in comparison to an incident at the university in August, when an attacker gained access to 1.4 million database records containing personal information in a social researcher's computer.

Other recent scares over data security include one at the Bank of America, which misplaced backup tapes containing the records of 1.2 million people, the bank said in February. Additionally, hackers broke into the databases of Seisint, a subsidiary of LexisNexis, gaining access to the records of 32,000 people, the company said last month.

Also in March, data warehousing company ChoicePoint confirmed that it had sold data to scammers, resulting in at least 750 cases of identity theft.