Sacramento Health System Breached - 4.2 Million Records

Two branches of the Sutter Health network were breached in October of this year after an employee's laptop was stolen. The laptop contained databases with Personally Identifiable Information and Personal Health Information for 4.2 million patients. These records are from dates as far back as 1995 and as recent as this year.  Sutter does say that the employee's laptop was not encrypted even though they are currently in the process of encrypting all laptops across the enterprise. 

Data stored in an unprotected state on a laptop or desktop PC puts organizations at risk of becoming the next data breach headline, like Sutter. Only strong encryption of all data on hard disks counters the threat of losing critical intellectual property, customer and/or competitive information and provides a safe harbor from the high profile public disclosures and costly remediation mandated by privacy laws. To protect mobile data from the risks of loss or theft of a laptop or desktop, enterprises not only need the security provided by strong encryption, but also a standards-based solution to the practical issues that organizations encounter when deploying endpoint data protection.


Sutter Health network of care press release below: 

/PRNewswire/ -- Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) — two affiliates within the Sutter Health network of care — announced the theft of a company-issued password-protected unencrypted desktop computer from SMF's administrative offices in Sacramento the weekend of Oct. 15, 2011. Following discovery of the theft, Sutter Health immediately reported it to the Sacramento Police Department. It also began an internal investigation. The computer did not contain patient financial records, social security numbers, patients' health plan identification numbers or medical records. While no medical records themselves were on the computer, some medical information was included for a portion of patients.

Following a thorough internal review, Sutter Health discovered that the stolen computer held a database that included two types of information:

1. For approximately 3.3 million patients whose health care provider is supported by Sutter Physician Services (SPS), the database included only the following patient demographic information dated from 1995 to January 2011: name, address, date of birth, phone number and email address (if provided), medical record number and the name of the patient's health insurance plan. SPS is an organization that provides billing and managed care services for health care providers with which it contracts, including facilities within the Sutter Health network. Patients who think they may be affected should visit www.sutterhealth.org to see the list of impacted health care providers.

1. For approximately 943,000 SMF patients, the database contained the above demographic data as well as the following information dated from January 2005 to January 2011: dates of services and a description of medical diagnoses and/or procedures used for business operations. Because the data of SMF patients was broader in scope, Sutter Medical Foundation has begun the process to notify these patients by mail. Patients should receive letters no later than Dec. 5.

Read more: http://www.sacbee.com/2011/11/16/4059251/sutter-health-informs-patients.html#ixzz1dyUMTGrj