Theft of data on 4M patients part of wider problem

Question of the Day

Is it still considered bad form to talk politics during a social gathering?

View results

SACRAMENTO, CALIF. (AP) - The theft of a computer containing information on more than 4 million patients of a major Northern California health care provider may be among the largest breaches of health care data in recent years, but it’s far from the only incident of its kind.

Over the last two years, health care organizations have reported 364 incidents involving the loss or theft of information ranging from names and addresses to Social Security numbers and medical diagnoses on nearly 18 million patients _ equivalent to the population of Florida.

A thief stole medical information on more than 4 million patients of Sacramento-based Sutter Health last month by the simple act of breaking a window with a rock at the affiliated Sutter Medical Foundation. Stolen over the weekend of Oct. 15 were monitors, keyboards and a desktop computer containing patient information dating to 1995.

Employees reported the theft to Sacramento police when they returned to work that Monday, Oct. 17, said Sgt. Andrew Pettit, but they didn’t notify the public until Wednesday, a month later. The company said in announcing the theft Wednesday that some patients might not receive mailed notices until early next month.

“If that machine is that valuable, then there should be more security measures where that is protected. There’s got to be something in place to make sure that that doesn’t happen,” Pettit said.

Police were investigating the burglary as a routine smash-and-grab property theft, he said, and so far there is no indication that the information in the computer has been used.

Since federal health care data breach notification rules took effect in 2009, Health and Human Services records show that the Sutter theft was exceeded only when the U.S. military’s health insurance program lost backup tapes in September containing information on more than 4.9 million patients.

While Sutter said the computer was password-protected, the data on patients was not encrypted, drawing criticism from privacy and computer security experts.

“Had this data been encrypted, you and I wouldn’t be having this discussion. It would be a nonissue,” said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy organization based in Sacramento.

On a computer in which data is encrypted, a user would typically have to enter another password in addition to the computer’s general password to access that specific data.

Information on about 3.3 million patients included name, address, date of birth, phone number, email address, medical record numbers and the name of the patient’s health insurance plan. Information on another 943,000 patients also included dates of services and descriptions of medical diagnoses and procedures.

Sutter spokesman Bill Gleeson said the company waited a month because it took that long to determine which patients’ information was contained in the computer. The company properly notified the federal government as well as others beyond what was required, he said, and hired a private investigator who so far has turned up no leads on the stolen computer.

The stolen computer was scheduled to be encrypted “very soon,” he said. Sutter initially concentrated on encrypting hand-held and laptop computers because those were deemed more likely to be lost or stolen.

“We deeply regret that that computer was stolen and that information about our patients was included. We have no reason to believe that computer was taken for that information,” he said. He added that Sutter has heightened security for the building and was working on encrypting all of its computers.

The stolen computer did not contain patient financial records, Social Security numbers, health plan identification numbers or actual medical records, Sutter said.

Story Continues →

View Entire Story

Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Comments
blog comments powered by Disqus
TWT Video Picks