Computer Theft Affects 4.2 MillionSutter Health Had Not Yet Encrypted the Device
No patient financial information, Social Security numbers, health plan ID numbers or medical records were on the desktop device, which was stolen during the weekend of Oct. 15 and 16 from an administrative office of the Sutter Medical Foundation, a physician network based in Sacramento, Calif.
The stolen computer contained a database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units. That database holds information on about 3.3 million patients collected from 1995 through January 2011. Included are names, addresses, dates of birth, phone numbers, some e-mail addresses, medical record numbers and the name of patients' health insurance plans.
The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures.
Sutter Health notes in a statement on its website that it will notify by mail the 943,000 patients who had more extensive information on the computer.
Encryption, Other Steps
"The Sutter Health data security office has already encrypted portable laptops and BlackBerries systemwide and was in the process of encrypting desktop computers throughout the system when the theft took place," according to the statement. "Sutter Health has since accelerated its efforts to encrypt all computers and has implemented routine security software updates. ... Sutter Health also will be reinforcing security practices with staff systemwide."
The healthcare organization has created a toll-free helpline for those who may have been affected and is encouraging patients to review their insurance "explanation of benefits" forms to look for any suspicious billing.
Sutter Health is working with local police on the investigation.