It seems like a breach that I never mentioned on this blog was the downfall of a firm.
In December, 2011, Impairment Resources, LLC was the victim of a burglary. They reported the incident and I had included it on DataLossDB.org, but didn’t think much of it as there was nothing wildly unusual in their reports to suggest it was particularly newsworthy. Just another business that was reporting a breach involving SSN and medical information, right?
Today, Katy Stech reports on WSJ:
The New Year’s Eve burglary of a California office building has led to the collapse of a national medical records firm.
Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.
Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers.
“The cost of dealing with the breach was prohibitive” for the company, Impairment Resources said when explaining its decision to file for Chapter 7 bankruptcy protection. That type of bankruptcy is used most often by companies to shut down and sell off what’s left to pay off their debts.
The company said its assets are worth about $226,000, an amount that, even after money trickles in from liquidating sales, likely won’t be enough to pay lender Insurance Recovery Group and its $583,000 loan, Impairment Resources said in court papers.
The company also faced the threat of even more debt with customers and individuals threatening to sue it over the privacy breach.
Impairment Resources reviewed medical records taken on workers’ compensation and auto casualty claims for roughly 600 insurance companies and other customers, according to court papers. It also had offices in Framingham, Mass., and Kailua, Hawaii.
So…. this a case where a lack of strong encryption was ultimately responsible for a business’s failure? From their correspondence (see links to state reports from DLDB entry), it doesn’t sound like the data were encrypted, but then, the company also doesn’t report a lot of assets given the size of its clientele, so who knows?