The password-protected but unencrypted machine contained a patient database. Ironically, the Sacramento, Calif.-based healthcare organization had been implementing encryption across the organization at the time of the theft. Unfortunately, the machine that was stolen was not yet encrypted.
“Sutter Health holds the confidentiality and trust of our patients in the highest regard, and we deeply regret that this incident has occurred,” Pat Fry, president and CEO of Sutter Health, said in a statement. “The Sutter Health Data Security Office was in the process of encrypting computers throughout our system when the theft occurred, and we have accelerated these efforts.”
The machine was stolen from the Sacramento offices during the weekend of Oct. 15. The healthcare firm discovered the theft on Monday, Oct. 17, and reported it to the Sacramento Police Department. The database included names, addresses, dates of birth, phone numbers, email addresses, medical record numbers, and health insurance plan providers, between 1995 and January 2011 of 3.3 million patients under Sutter Physician Services. SPS provides managed care services and billing for healthcare providers.
The computer also contained demographic data -- names, addresses, dates of birth, phone numbers, email addresses, medical record numbers, and health insurance plan providers -- as well as medical diagnoses between January 2005 and January 2011 of 943,000 Sutter Medical Foundation patients.
Sutter maintains that the stolen computer did not contain any patient financial data, Social Security numbers, health plan identification numbers, or actual medical records. "While no medical records themselves were on the computer, some medical information was included for a portion of patients," Sutter said in its advisory.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.