Share this article on:
Sutter Health, a Northern California not-for-profit health system, has recently discovered a HIPAA breach that occurred on April 26, 2013.
A former employee of the healthcare provider was discovered to have emailed company billing documents to a personal email account, which was against company regulations and was in violation of the Health Insurance Portability and Accountability Act (HIPAA). Those documents contained the Protected Health Information (PHI) of 2,582 patients, the vast majority of whom had been patients of the Sacramento-based Sutter Medical Foundation. The ex-employee had previously worked for Sutter Physician Services, which provides billing services for the healthcare provider’s medical foundations.
Sutter Health received a tip-off about inappropriate use of a company computer by the former employee, who had left the company in November 2014. An investigation was immediately launched to determine whether the complaint had any foundation and to determine whether HIPAA Rules had in fact been violated.
Bill Gleeson, a spokesperson for Sutter Health, said that investigation uncovered unauthorized emails that had been sent to the employee’s personal email account, according to the Sacramento Bee. The HIPAA violation was discovered on August 27, 2015; more than two years after the emails were sent.
Gleeson said the company has not been able to determine why the employee decided to email the information to a personal email account, but no evidence has been found to suggest the data have been used inappropriately or viewed by anyone other than the individual concerned.
Even though PHI was included in billing documents, no financial data were reportedly exposed in the incident; however the documents did contain patient names, health insurance identification numbers, dates of birth, billing codes, and the dates that medical service were provided. One Social Security number and two driver’s license numbers were also detailed in the emailed documents.
Sutter Health’s Chief Medical Officer, Stephen Lockhart, said in a news release posted on Sutter’s website, “We believe protecting patients’ health information is the responsibility of every employee. We require employees to sign confidentiality agreements. In addition, we train them to follow privacy and information security policies and regulations. We deeply regret this incident occurred.”
Breach notification letters were mailed to all affected patients on September 11 to inform them that their PHI had been emailed outside the company’s network, and the Department of Health and Human Services’ Office for Civil Rights has also been informed of the security breach. As a precaution against identity theft, all affected patients are being offered a year of credit monitoring services without charge.