Sutter Health Charged for 4.24M HIPAA Mega Infringement

Two class action litigations have now been registered versus the Sutter Health hospital system in Northern California following a theft at its administrative workplaces in Sacramento potentially revealed the Safeguarded Health Info of 4.24 million patients.

Throughout the weekend of Oct 15-16 burglars got entry to the workplaces by hurling a rock through the window. As soon as inside they emptied the office of electrical equipment including computer monitors, mouse, and a PC. The PC had data pertaining to 3.3 million current as well as former sick persons of Sutter Physician Services with the files originating from 1995. Social Security numbers weren’t incorporated into the data even though some individually identifiable info might potentially have been accessed by the burglars. The data incorporated names, addresses, dates of births, phone numbers, and a few email addresses.

The theft also revealed the medical histories of 943,000 patients from the Yuba, Yolo, Sutter, Solano, Sacramento, and Placer counties who had been cured by Sutter Medical Foundation physicians from January 2005 till to date.

One of the litigations has been filed by the Harris & Rubel Law firm on behalf of Javier Garcia against both Sutter Physician Services and Sutter Medical Foundation for failing to put into practice sufficient controls to keep patient data safe.

Sutter Health had a procedure of data encryption and a number of hard drives had been encrypted; nevertheless, the procedure took time as well as mobile devices were given precedence. Blackberry devices and Laptops had their data encrypted however Sutter Health had only just begun its PC data encryption schedule and the procedure had not been finished, even though the thieved PC was safeguarded by a password. The Sutton Health package of data encryption began in 2007.

A second class action litigation has been logged by the Dreyer Babich Buccola Wood law firm in Sacramento which is acting for Karen Pardieck, with losses of $1,000 being demanded for each of the 4.24 million victims.

Sutter Health informed the thievery to the Sacramento Police Department immediately after the break-in was found and inquiries are continuing. There is no rationale to propose that the office was aimed particularly at the data the PCs had, even though it’s probable that the data has been retrieved by the persons in control of the equipment.

Because of the quantity of breach announcement letters, Sutter Health was needed to send the procedure took 2 weeks to finish, with the first letters dispatched on Nov 15 with all announcements sent by Nov 29. The healthcare provider has been condemned by some patients for delaying transmitting the letters for a month, though HITECH needed notices to be sent within 60 days, therefore, they were sent well ahead of the legal deadline.

As per Nancy Turner, Sutter Health Spokesperson, the hindrance in sending the breach notices was because of the time it took to classify the data contained on the PC. As soon as this was found out the notices were prepared and sent. Patients have been instructed that they must receive the message by December 5th and if not it’s unlikely that they have been affected.

Sutter Health has established a toll-free number (855-770-0003) for any person worried about the case to receive additional information.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.