Sutter Health California Pacific Medical Center HIPAA Breach Announced

Sutter Health, a not-for-profit health system in Northern California, has issued a breach notification alerting the public and patients to a security incident that occurred at its California Pacific Medical Center (CPMC).

CPMC reported that it discovered a case of improper access of patient records by an employee during one of its “proactive” audits of electronic medical records on October 10, 2014. That audit showed that one employee had accessed the records of 14 patients. Those patients were mailed breach notification letters on October 21st 2014 and the work contract of the employee in question was terminated.

Once the breach had been stopped, CPMC investigated the matter further and discovered a total of 844 patient records had potentially been viewed inappropriately, as there appeared to be no apparent treatment or business purpose that required those records to be viewed. The records were accessed over a period of a year, between October 2013 and October 2014

According to the statement, the information which was potentially accessed by the employee included “patient demographics, last four digits of social security number, clinical information including diagnosis and clinical notes, and prescription information.”

The notification pointed out that the employee did not see “full Social Security numbers, driver’s license numbers, California identification numbers, credit card numbers or financial account information.”

CPMC has assessed the risk and deems it to be minimal and in the breach notifications already issued and it says that no action is required by patients who have been affected by the breach.

The healthcare provider has determined that the employee only accessed the patient records out of curiosity and without any malicious intent. Since the employee no longer works for the hospital, there is no further risk to patients. Because of this, patients have not been offered any identity theft protection or credit monitoring services.

CPMC confirmed that it takes the privacy of patients seriously and as a result of this incident has reiterated the importance of data privacy with the staff and that inappropriate and unauthorized access of patient health records will result in loss of employment.

Further steps CPMC could take to improve data privacy and security is to increase the frequency of their internal audits or at least to introduce more frequent checks of access logs. HIPAA rules required covered entities to routinely monitor for inappropriate access to patient health records. Had this been the case, CPMC may have been able to identify the breach much more quickly and reduce the number of patients affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.