The Legal Aid Society of San Mateo County notified 3,200 low-income clients their Social Security numbers and medical data was potentially compromised after 10 unencrypted laptops containing the personal information were reported stolen.
The computers also included names and birth dates.
The laptops were taken during an Aug. 12 break-in at the two-building Redwood City complex that houses the Legal Aid Society of San Mateo County and several other organizations.
The group’s case management database and client files were not compromised but the stolen laptops did contain files containing correspondence with personal information, said Executive Director M. Stacey Hawver.
One example, she said, could be a medical provider referring a client or an attorney negotiating the settlement of a Medi-Cal appeal.
In an Oct. 10 letter mailed out to clients, Hawver apologized for the breach and said staff is currently reviewing its procedures to prevent future security lapses. Hawver also urged recipients to place a fraud alert on their credit files and regularly review their health benefits statement for services they did not receive.
“I believe that the risk of misuse of the stolen data is unlikely. Nonetheless, we take the potential exposure of our clients’ personal information very seriously,” Hawver wrote in an email to the Daily Journal.
Much of the sensitive information was inside non-searchable scanned attachments and a thief would have had to go through more than 100,000 emails, Hawver said.
Legal Aid will offer credit monitoring services in cases in which a Social Security number was included in an email exchange and Hawver also plans to personally take calls from clients with breach notifications.
All of Legal Aid’s laptop computers have now been encrypted using Bitlocker for Microsoft Windows 7 Enterprise. The building has also been fortified, with the property management adding all perimeter doors to the alarms system, Hawver said.
Although 3,200 individuals were alerted, Hawver said many didn’t have personally identifiable information involved as defined by California’s breach notification law but that the society cast a wider net to include those with some data about Legal Aid’s representation.
(650) 344-5200 ext. 102