HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sutter Health Discovers 2013 HIPAA Breach Affecting 2.5K Patients

Sutter Health, a Northern California not-for-profit health system, has recently discovered a HIPAA breach that occurred on April 26, 2013.

A former employee of the healthcare provider was discovered to have emailed company billing documents to a personal email account, which was against company regulations and was in violation of the Health Insurance Portability and Accountability Act (HIPAA). Those documents contained the Protected Health Information (PHI) of 2,582 patients, the vast majority of whom had been patients of the Sacramento-based Sutter Medical Foundation. The ex-employee had previously worked for Sutter Physician Services, which provides billing services for the healthcare provider’s medical foundations.

Sutter Health received a tip-off about inappropriate use of a company computer by the former employee, who had left the company in November 2014. An investigation was immediately launched to determine whether the complaint had any foundation and to determine whether HIPAA Rules had in fact been violated.

Bill Gleeson, a spokesperson for Sutter Health, said that investigation uncovered unauthorized emails that had been sent to the employee’s personal email account, according to the Sacramento Bee. The HIPAA violation was discovered on August 27, 2015; more than two years after the emails were sent.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Gleeson said the company has not been able to determine why the employee decided to email the information to a personal email account, but no evidence has been found to suggest the data have been used inappropriately or viewed by anyone other than the individual concerned.

Even though PHI was included in billing documents, no financial data were reportedly exposed in the incident; however the documents did contain patient names, health insurance identification numbers, dates of birth, billing codes, and the dates that medical service were provided. One Social Security number and two driver’s license numbers were also detailed in the emailed documents.

Sutter Health’s Chief Medical Officer, Stephen Lockhart, said in a news release posted on Sutter’s website, “We believe protecting patients’ health information is the responsibility of every employee. We require employees to sign confidentiality agreements. In addition, we train them to follow privacy and information security policies and regulations. We deeply regret this incident occurred.”

Breach notification letters were mailed to all affected patients on September 11 to inform them that their PHI had been emailed outside the company’s network, and the Department of Health and Human Services’ Office for Civil Rights has also been informed of the security breach. As a precaution against identity theft, all affected patients are being offered a year of credit monitoring services without charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.