Sutter Health, a hospital system in Northern California, faces two class-action lawsuits from patients for leaving the information of 4.24 million people vulnerable to exposure.
During the weekend of Oct. 15-16, a rock was thrown through the window of Sutter's administrative offices in Sacramento, Calif., and then a desktop PC along with monitors, mice and keyboards were stolen, Nancy Turner, a spokesperson for Sutter Health, told eWEEK.
Although no medical data or Social Security numbers resided on the PC, the computer did store some personal information, Sutter Health reports.
The PC theft exposed personal information for about 3.3 million patients of Sutter Physician Services (SPS) from 1995 to January 2011, including names, addresses, dates of birth, phone numbers and email addresses (for those who provided them). SPS provides billing and managed care services for health care providers affiliated with Sutter.
Meanwhile, information regarding medical diagnoses and procedures for about 943,000 Sutter Medical Foundation patients from January 2005 to January 2011 also was exposed in the breach. Sutter Medical Foundation is a network of doctors working in Placer, Sacramento, Solano, Sutter, Yolo and Yuba counties.
The law firm Harris & Rubel filed a suit on Nov. 16 against Sutter Medical Foundation and Sutter Physician Services on behalf of patient Javier Garcia, claiming that the health organization didn't effectively secure patients' data.
"Securing equipment and encrypting data were not a priority for Sutter, and now patients will have to worry about what medical or insurance information is out there for others to view," attorney Alan Harris said in a statement.
Since 2007, Sutter has been encrypting laptops and BlackBerry devices, but had only recently begun encrypting desktops, according to Turner. The priority was to encrypt the portable devices first, Turner said.
"We were in the process of encrypting the desktops when this theft occurred," she said. Although the stolen PC was unencrypted, it was password-protected, Turner noted.
Robert Buccola of law firm Dreyer Babich Buccola Wood filed another suit on Nov. 21 in Sacramento Superior Court on behalf of patient Karen Pardieck, the Sacramento Bee reports. The lawsuit is asking for $1,000 for each affected individual plus attorneys' fees.
Sutter reported the theft to police on Oct. 17 immediately after discovering the theft. The Sacramento Police Department is investigating.
The health system sent letters to patients beginning on Nov. 15 at a rate of 150,000 a day to notify them of the PC theft and data breach, Turner said. As of Nov. 29, all letters had been mailed, and patients should receive them by Dec. 5, she added.
"We've been telling folks [that] patients would be receiving letters no later than Dec. 5 in case there's a delay in finding the patient," Turner said. Sutter didn't notify patients sooner because the health system was trying to determine the contents of the PC, she added.
"People felt that 30 days was not adequate and that they should have been notified as soon as possible," she said.
"We had a dedicated team of people working to determine exactly what was on the computer, and that took some time," Turner explained. "If we had notified them before we had found out that information, that wouldn't have managed [patients'] anxiety at all."
As part of its response to the breach, Sutter has set up a toll-free number (855-770-0003) for concerned patients to obtain information.
Pat Fry, president and CEO of Sutter Health, expressed regret regarding the incident in a video on the company's Website. "We take our responsibility for providing quality care extremely seriously, and that includes protecting our patients' personal and medical information," Fry said.
Federal laws under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act require health organizations to notify individuals within 60 days of a data breach.
The Sutter data breach is the latest incident involving health organizations losing data.
In fact, 71 percent of health care organizations have suffered at least one data breach within the past year, according to a study by Veriphyr, a software-as-a-service data-analytics application provider.
On Sept. 29, Tricare, a health care services provider to active and retired military personnel, disclosed that its contractor, Science Applications International Corporation (SAIC), had potentially exposed data for 4.9 million patients when backup tapes were stolen from a car in San Antonio.