Sutter Health Sued for 4.24M HIPAA Mega Breach

Two class action lawsuits have now been filed against the Sutter Health hospital system in Northern California after a burglary at its administrative offices in Sacramento potentially exposed the Protected Health Information of 4.24 million patients.

Over the weekend of Oct 15-16 thieves gained access to the offices by throwing a rock through the window. Once inside they cleared the office of electrical equipment including a PC, mouse and computer monitors. The PC contained data relating to 3.3 million former and current patients of Sutter Physician Services (SPS) with the records dating back to 1995. Social Security numbers were not included in the data although some personally identifiable information could potentially have been accessed by the thieves. The data included names, dates of births, addresses, phone numbers and some email addresses.

The breach also exposed the medical records of 943,000 patients from the Placer, Sacramento, Solano, Sutter, Yolo and Yuba counties who had been treated by Sutter Medical Foundation doctors from January 2005 to the present.

One of the lawsuits has been filed on behalf of Javier Garcia by the Harris & Rubel Law firm against both Sutter Medical Foundation and Sutter Physician Services for failing to implement adequate controls to keep patient data secure.

Sutter Health had a policy of data encryption and many hard drives had been encrypted; however the process took time and mobile devices were given priority. Laptops and Blackberry devices had their data encrypted but Sutter Health had only just started its PC data encryption program and the process had not been completed, although the stolen PC was protected by a password. The Sutton Health program of data encryption started in 2007.

A second class action lawsuit has been filed in Sacramento by the Dreyer Babich Buccola Wood law firm which is representing Karen Pardieck, with damages of $1,000 being claimed for each of the 4.24 million victims.

Sutter Health reported the theft to the Sacramento Police Department as soon as the break-in was discovered and investigations are continuing. There is no reason to suggest that the office was targeted specifically for the data the PCs contained, although it is possible that the data has been accessed by the individuals in possession of the equipment.

Due to the volume of breach notification letters Sutter Health was required to send the process took two weeks to complete, with the first letters sent on Nov 15 with all communications dispatched by Nov 29. The healthcare provider has been criticized by some patients for delaying sending the letters for a month, although HITECH require notifications to be sent within 60 days so they were sent well before the legal deadline.

According to Sutter Health Spokesperson, Nancy Turner, the delay in issuing the breach notifications was due to the time it took to identify the data contained on the PC. Once this was ascertained the notifications were prepared and sent. Patients have been advised that they should receive the communication by December 5th and if not it is unlikely that they have been affected.

Sutter Health has set up a toll free number (855-770-0003) for any individual concerned about the incident to receive further information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.