Computer Stolen From Sutter Health Contained Patient Info From Bay Area Hospitals
Sutter says some patient information from San Leandro Hospital and Eden Medical Center and more than was breached. The incident is so serious that nearly a million patients will be notified by mail.
Photos
Sutter Health said Wednesday that a desktop computer containing data for 4.24 million patients was stolen from its headquarters in Sacramento over the weekend.
In a press release issued Wednesday Sutter said no Social Security numbers were kept on the stolen computer, which was not protected by encryption software.
But for nearly 1 million patients the data loss was serious enough that Sutter said they will be notified by mail.
The affected local facilities include San Leandro Hospital and Eden Medical Center in Castro Valley, as well as the Alta Bates Summit Medical Center in Berkeley, the Sutter East Bay Medical Foundation, which represents more than 200 health providers in 10 East Bay cities and almost two dozen more.
The information that was compromised was collected between 1995 and January 2011.
Sutter identified two classes of patient data affected by the breach.
For 3.3 million patients the following information was lost: Name, address, date of birth, phone number, email address (if provided), medical record number and the name of the patient’s health insurance plan.
Another 943,000 Sutter Medical Foundation patients were victims of a more serious data breach.
In addition to the information listed above, the lost data included the dates of service and descriptions of medical diagnoses and/or procedures used.
Sutter said these 943,000 patients would be notified by mail no later than Dec. 5 because the data loss in their case was "broader in scope."
Karen Barney, a spokeswoman for the nonprofit Identity Theft Resource Center in San Diego, explained why.
With a list of email addresses, identity thieves could go phishing — that means trying to trick the recipient of a message into divulging Social Security and/or bank account numbers.
"The more information you give a predator the easier it is for them to trick you into thinking they are legit," Barney said.
Therefore if phishers get data about the dates and nature of treatments affecting this second group of patients, they would be in a better position to pull off a data theft, she said.
Sutter has established a toll-free helpline to answer questions and to help patients determine whether their data was included. Call (855) 770-0003 on weekdays from 8 a.m. to 5 p.m.
When prompted, patients should enter this 10-digit reference code: 7637111511.
In addition to the two local hospitals, Sutter said the affected facilities include:
- Albany Family Practice
- Alta Bates Medical Associates
- Alta Bates Medical Group
- Alta Bates Summit Medical Center
- Central Valley Medical Group
- County of Yolo Department of Health
- Family Doctor Medical Group
- Oakcare Medical Group
- Sutter Amador Hospital
- Sutter Coast Hospital
- Sutter East Bay Medical Foundation
- Sutter Express Care
- Sutter Gould Medical Foundation
- Sutter Independent Physicians
- Sutter Lakeside Hospital
- Sutter Medical Centers of Sacramento
- Sutter Medical Center of Santa Rosa
- Sutter Medical Foundation
- Sutter Pacific Medical Foundation
Sutter Chief Executive Officer Patrick Fry expressed his regrets for the breach and said steps have already been taken to make sure it never happens again.
The theft is being investigated by Sacramento police.
In This article
-
Eden Medical Center
20103 Lake Chabot Rd, Castro Valley, CA -
Sutter VNA & Hospice
1651 Alvarado St, San Leandro, CA -
San Leandro Hospital
13855 E 14th St, San Leandro, CA
Marga Lacabe
3:50 pm on Wednesday, November 16, 2011
This is really unconscionable, the type of criminal negligence that should have the Sutter CEO jailed. There is no excuse whatsoever to have that data unencrypted.
David
6:16 am on Thursday, November 17, 2011
The UC system regularly "lost" or had stolen all kinds of student data including social security numbers when I was a grad student there. Not a single person was ever fired. Again, the differences in accountability demanded for the public sector vs. the private sector...
DeAnna Senft McDaid
11:35 pm on Wednesday, November 16, 2011
Are all the birth records kept in one desktop in Sacramento for EDEN in Castro Valley? Would Eden Keep local records forever on site? I hope they are recoverable somewhere else and when found encrypted right away. I am shocked, hospitals are all about record keeping. This WAS NOT A PRIORITY OVER THE LAST 10YEARS???? WITH RAMPANT IDENTITY THEFT
Serene
3:45 am on Thursday, November 17, 2011
Absolutely pathetic.
Time for a new Sutter CEO; one who respects patient confidentiality.
Sophie
6:21 am on Thursday, November 17, 2011
I am pretty certain my info was in those records having been a pt at two of the facilities mentioned. I know that Sutter does not want employees to keep PHI on lap tops but rather save them to company files. This sounds like an employee issue. None-the-less, it should not have happened, and I hope that meaningful steps have been taken to prevent further breaches. Also imagine the cost of mailing a million letters! I can't wait to see what pitiful excuses are going to be in mine!
Fran
8:01 am on Thursday, November 17, 2011
4.24 million patients. And I don't beleive social security numbers were not compromised. I'll be waiting for a letter also.
Creek Diva
4:23 pm on Thursday, November 17, 2011
Lovely.
Summit East Bay Medical Center Orinda, don't you mean Oakland?
Kari Hulac
7:40 am on Friday, November 18, 2011
My mistake Creek Diva. We meant the Sutter East Bay Medical Foundation, which has dozens of East Bay offices, including Orinda. Thanks for pointing that out.
Creek Diva
8:23 am on Friday, November 18, 2011
@Kari, no problem with all the similar sounding names, it can get confusing. Thanks for the heads up! I'll be calling today to ask, crossing my fingers I'm not on that list.