Sutter Health Physician Suffers Second 2015 Data Breach

In a press release issued to the media on May 19, 2015, Sutter Health Physician, Sharon J. Jones, M.D. announced that her office facilities had suffered a break in and a desktop computer, two laptop computers, a computer server and 17 patient charts were stolen. The break-in occurred overnight on March 20, 2015. The breach has now been reported to the Office for Civil Rights as affecting 1,342 individuals.

This is not the first time the offices have suffered at the hands of burglars, and in only January of this year the same facilities were broken into and 350 patient charts were stolen along with a credit card register.

The thief appears to be persistent. Following the second break in, Jones hired a security guard who managed to stop a third break in attempt three days later. Jones stated that she has employed new security measures to protect patient records, one of these appears to be moving her office from San Pablo to Richmond, which she plans on doing in the next 6 months.

In the latest incident, the press release does not describe the information contained in the patient charts. The charts stolen during the previous burglary included patients’ first and last names, dates of birth, addresses, telephone numbers, medical records (lab results, history, physical, consultation notes, hospital notes), and medical insurance information being exposed. If patients had provided their Social Security numbers, they too were exposed in the breach.

Jones said that the only data potentially exposed by the theft of computer hardware was copies of the breach notification letters which were being sent to the 350 victims from January’s break-in. Those letters contained no financial information or Social Security information, but did detail “patient names, address, date of birth, and basic medical information regarding the purpose of the letter.”

A basic level of protection existed as the computers were password-protected so the thief may not have been able to view any information.

Patients affected by the first data breach have already been offered identify theft protection services via Kroll and were notified about the first data breach, 15 days prior to the second one occurring. Many can now expect to receive a second breach notification in the mail.

Sutter Health was involved in a much larger data breach in October, 2011, when a password-protected laptop was stolen resulting in the healthcare records of 4.24 million patients being exposed.

Updated: 06/02/2015

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.