Approximately three weeks ago, I added a breach incident to DataLossDB that involved the North Los Angeles County Regional Center. My summary of the incident was:
Stolen laptop contained consumers’ names, addresses, dates of birth, phone numbers, UCI number, ability to ambulate, whether they used a respirator, type of residence, and contact person
The entry was based on the organization’s report to the California Attorney General’s Office under that state’s breach notification laws.
There was no media coverage at the time of that entry – only the agency’s report. The agency indicated that notification letters to those affected had been sent out on January 11.
Yesterday, I saw some media coverage on SCV News and I wondered why it took three weeks for the media to pick up this story. I would think that at least some news outlets in California – or elsewhere – would routinely check the state’s breach reports site. I checked further and discovered that the SCV story seems to be the only media coverage of the breach since the agency’s disclosure at the end of January.
Media coverage of breaches is important. It’s important for those who may have moved and may not have a current address on file for the breached entity to contact them and it’s important to help the public get some sense of how often breaches occur and how breaches involving their information occur.
Of course, one day I hope we’ll see a national database of breach reports that will make it easier for consumers and researchers to check to see who’s reported breaches involving PII and/or PHI. Until then, I hope the media does its job of informing the public when they may be at risk.