$1B suit filed against Sutter Health over data breach

By Bernie Monegain
10:57 AM

The theft of a  computer during a break-in in October has spurred a $1B class action lawsuit against Sutter Health, according to a report published today by the Sacramento Bee. The computer contained data on more than 4 million patients.

The suit was filed Nov. 21 in Sacramento Superior Court.

In a news release posted online by the Sacramento-based health system on Nov. 16, Sutter officials detailed the findings of its investigation into the theft and offered an apology.

“Sutter Health holds the confidentiality and trust of our patients in the highest regard, and we deeply regret that this incident has occurred,” said Sutter Health President and CEO Pat Fry. “The Sutter Health Data Security Office was in the process of encrypting computers throughout our system when the theft occurred, and we have accelerated these efforts.”

Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) – two affiliates within the Sutter Health network of care – announced the theft of a company-issued password-protected unencrypted desktop computer from SMF’s administrative offices in Sacramento the weekend of Oct. 15, 2011.

“Following discovery of the theft, Sutter Health immediately reported it to the Sacramento Police Department,” Sutter officials stated. “It also began an internal investigation. The computer did not contain patient financial records, social security numbers, patients’ health plan identification numbers or medical records. While no medical records themselves were on the computer, some medical information was included for a portion of patients.”

Sutter’s news release noted the investigation revealed that the computer contained two types of patient information:

  1. For approximately 3.3 million patients whose health care provider is supported by SPS, the database included only the following patient demographic information dated from 1995 to January 2011: name, address, date of birth, phone number and email address (if provided), medical record number and the name of the patient’s health insurance plan. SPS is an organization that provides billing and managed care services for health care providers with which it contracts, including facilities within the Sutter Health network. Patients who think they may be affected should visit www.sutterhealth.org/noticeforpatients to see the list of impacted health care providers.
  2. For approximately 943,000 SMF patients, the database contained the above demographic data as well as the following information dated from January 2005 to January 2011: dates of services and a description of medical diagnoses and/or procedures used for business operations. Because the data of SMF patients was broader in scope, Sutter Medical Foundation has begun the process to notify these patients by mail. Patients should receive letters no later than Dec. 5.

Sutter Health has established a toll-free help line to answer questions and assist patients in determining whether their data was on the computer. Any concerned patients can call toll-free at (855) 770-0003, Monday through Friday from 8 a.m. to 5 p.m. PST. When prompted, patients should enter this 10-digit reference code: 7637111511.