Sutter Health Physician Suffers Second 2015 Data Breach
In a press release issued to the media on May 19, 2015, Sutter Health Physician, Sharon J. Jones, M.D. announced that her office facilities had suffered a break-in and a desktop computer, two laptop computers, a computer server, and 17 patient charts were stolen. The break-in occurred overnight on March 20, 2015. The breach has now been reported to the Office for Civil Rights as affecting 1,342 individuals.
This is not the first time the offices have suffered at the hands of burglars, and in only January of this year the same facilities were broken into and 350 patient charts were stolen along with a credit card register.
The thief appears to be persistent. Following the second break-in, Jones hired a security guard who managed to stop a third break-in attempt three days later. Jones stated that she has employed new security measures to protect patient records, one of which appears to be moving her office from San Pablo to Richmond, which she plans on doing in the next 6 months.
In the latest incident, the press release does not describe the information contained in the patient charts. The charts stolen during the previous burglary included patients’ first and last names, dates of birth, addresses, telephone numbers, medical records (lab results, history, physical, consultation notes, hospital notes), and medical insurance information being exposed. If patients had provided their Social Security numbers, they too were exposed in the breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Jones said that the only data potentially exposed by the theft of computer hardware was copies of the breach notification letters which were being sent to the 350 victims from January’s break-in. Those letters contained no financial information or Social Security information, but did detail “patient names, address, date of birth, and basic medical information regarding the purpose of the letter.”
A basic level of protection existed as the computers were password-protected so the thief may not have been able to view any information.
Patients affected by the first data breach have already been offered identify theft protection services via Kroll and were notified about the first data breach, 15 days prior to the second one occurring. Many can now expect to receive a second breach notification in the mail.
Sutter Health was involved in a much larger data breach in October 2011, when a password-protected laptop was stolen resulting in the healthcare records of 4.24 million patients being exposed.
Updated: 06/02/2015
