Another Sutter Health BreachPolice Investigation Identifies Patients Affected
A drug raid by police in California has resulted in Sutter Health notifying about 4,500 of its patients about a security incident, the third major breach the organization has reported since October 2011.
See Also: The Global State of Online Digital Trust
Sutter Health posted a notice on its website June 7 stating that the Alameda County Sheriff's Department recently notified one of Sutter Health's hospitals in the East Bay area of Northern California that during an unrelated investigation, authorities recovered information about the Sutter Health patients.
"We do not know what law enforcement was investigating when they obtained this information," the notice states. "The information may have originated from Sutter Health's Alta Bates Summit, Sutter Delta or Eden medical centers, and may have included a patient's name, Social Security number, date of birth, gender, address, ZIP code, home phone number, marital status, name of employer and work phone number."
The statement says that "while it is presently unclear where the information originated, we have notified the patients whose information was potentially involved and are offering them free credit monitoring services. We have also alerted the appropriate government agencies."
A Sutter Health spokeswoman tells HealthcareInfoSecurity that the organization is cooperating with police in the investigation, and that Sutter has its own internal investigation under way. She says the delivery system does not know whether the patient information found by police was on paper or electronic or whether ID theft or fraud is suspected. Sutter Health also does not know whether two individuals arrested by police have employment or other ties to the organization.
Police have not yet determined how the arrested individuals gained access to the Sutter patient information, but so far there is no indication that any related ID theft has occurred, says Alameda County police officer J.D. Nelson, who declined to elaborate on details of the case since it's still under investigation.
Sutter Health includes 24 hospitals, 27 ambulatory care facilities, a network of more than 5,000 physicians, and home healthcare and hospice services in Northern California.
In October 2011, Sutter Health reported the theft from its Sutter Medical Foundation of an unencrypted desktop computer containing information 4.2 million patients (see: Computer Theft Affects 4.2 Million). That incident resulted in the filing of 11 class action lawsuits. Those suits were consolidated into one case, which is making its way through Sacramento County Superior Court.
In addition, Sutter Health reported a May 2011 breach at its Sutter Gould Medical Foundation in which lost paper records resulted in 1,920 patients being notified that their information was possibly compromised. That incident appears on the Department of Health and Human Services breach website that lists incidents involving 500 or more individuals.