Theft of data on 4M patients part of wider problem

Nov 18, 2011 By DON THOMPSON and MARCUS WOHLSEN , Associated Press

The theft of a computer containing information on more than 4 million patients of a major Northern California health care provider may be among the largest breaches of health care data in recent years, but it's far from the only incident of its kind.

Over the last two years, have reported 364 incidents involving the loss or theft of ranging from names and addresses to Social Security numbers and medical diagnoses on nearly 18 million patients - equivalent to the population of Florida.

A thief stole medical information on more than 4 million patients of Sacramento-based Sutter Health last month by the simple act of breaking a window with a rock at the affiliated Sutter Medical Foundation. Stolen over the weekend of Oct. 15 were monitors, keyboards and a desktop computer containing dating to 1995.

Employees reported the theft to Sacramento police when they returned to work that Monday, Oct. 17, said Sgt. Andrew Pettit, but they didn't notify the public until Wednesday, a month later. The company said in announcing the theft Wednesday that some patients might not receive mailed notices until early next month.

"If that machine is that valuable, then there should be more where that is protected. There's got to be something in place to make sure that that doesn't happen," Pettit said.

Police were investigating the as a routine smash-and-grab property theft, he said, and so far there is no indication that the information in the computer has been used.

Since federal health care data breach notification rules took effect in 2009, Health and Human Services records show that the Sutter theft was exceeded only when the U.S. military's health insurance program lost backup tapes in September containing information on more than 4.9 million patients.

While Sutter said the computer was password-protected, the data on patients was not encrypted, drawing criticism from privacy and computer security experts.

"Had this data been encrypted, you and I wouldn't be having this discussion. It would be a nonissue," said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy organization based in Sacramento.

On a computer in which data is encrypted, a user would typically have to enter another password in addition to the computer's general password to access that specific data.

Information on about 3.3 million patients included name, address, date of birth, phone number, email address, medical record numbers and the name of the patient's health insurance plan. Information on another 943,000 patients also included dates of services and descriptions of medical diagnoses and procedures.

Sutter spokesman Bill Gleeson said the company waited a month because it took that long to determine which patients' information was contained in the computer. The company properly notified the federal government as well as others beyond what was required, he said, and hired a private investigator who so far has turned up no leads on the stolen computer.

The stolen computer was scheduled to be encrypted "very soon," he said. Sutter initially concentrated on encrypting hand-held and laptop computers because those were deemed more likely to be lost or stolen.

"We deeply regret that that computer was stolen and that information about our patients was included. We have no reason to believe that computer was taken for that information," he said. He added that Sutter has heightened security for the building and was working on encrypting all of its computers.

The stolen computer did not contain patient financial records, Social Security numbers, health plan identification numbers or actual medical records, Sutter said.

Though encrypting patient information is "highly recommended" by the federal government, Verizon health care and data security expert Dr. Peter Tippett said the health care industry lags behind the financial and high-tech industries by 10 to 15 years when it comes to protecting personal data.

"Overall, the health care system needs a lot of work at being more secure," Tippett said.

In most cases, Tippett said, computer thieves are simply looking to make a little cash reselling the stolen computer itself. Sometimes they may try to ransom the computer back to its original owner. If the data itself is accessed, usually by organized crime operations, he said criminals would generally try to use it to blackmail prominent people with potentially embarrassing diagnoses or steal patients' identities to fraudulently bill health insurers for medical procedures that weren't really performed.

The worst consequence an average patient could expect would be a bill for a co-pay for a procedure they never received, he said.

Tippett said blaming any incident of identity theft on the stolen Sutter computer would be tough. If exploited, the patient information on the stolen computer would simply be added to the insecure data available on most everyone already floating around on the world's computer networks.

"It's real. It will hurt some people. But it won't hurt the average person in Sacramento," he said.

Sutter appears to have followed state and federal law and faces little investigation at least from California, officials said, particularly if no damage results to individuals.

California Department of Managed Care spokeswoman Denise Schmidt said her agency is "looking into whether there may be an impact," but she couldn't say what that might entail.

State Department of Insurance spokesman Dave Althausen said his department would only become involved if there are fraudulent insurance claims as a result.

Sutter notified the state Department of Public Health, but didn't need to, said department spokesman Ralph Montano. His department would only have jurisdiction if the breach was from a hospital or nursing home, he said, not a medical foundation or physician services group.

Joanne McNabb, chief of the California Office of Privacy Protection, said Sutter was only required to notify the U.S. Department of Health and Human Services, which it did within the required 60 days.

It was also required to notify affected in "the most expedient time possible without unreasonable delay," she said, quoting a 2008 state law. A one-month delay might be reasonable because it could have taken that long to determine what information was on the computer, she said.

Consumers should watch out for bogus medical procedures showing up on health care notices, and should be careful not to be caught by crooks using their information to seek or other information, she said. But she said the data on the is relatively limited in the damage that could be done with it directly.

Explore further: Study reveals mature motorists worse at texting and driving

not rated yet
add to favorites email to friend print save as pdf

Related Stories

Stanford Hospital privacy breach puts data online

Sep 09, 2011

(AP) -- Stanford Hospital in California is blaming a subcontractor used by an outside vendor for a privacy breach that led to the posting online of medical information for thousands of emergency room patients.

Hackers breach UC Berkeley computer database

May 08, 2009

(AP) -- University of California, Berkeley, officials said Friday that hackers infiltrated restricted computer databases, putting at risk health and other personal information on 160,000 students, alumni and others.

Nurses at dozens of Calif. hospitals strike

Sep 22, 2011

(AP) -- Nurses began picketing Thursday morning outside dozens of Northern and Central California hospitals as part of a one-day strike over benefit cuts and other concessions sought by hospital management.

Recommended for you

Study reveals mature motorists worse at texting and driving

18 hours ago

A Wayne State University interdisciplinary research team in the Eugene Applebaum College of Pharmacy and Health Sciences has made a surprising discovery: older, more mature motorists—who typically are better drivers in ...

Napster co-founder to invest in allergy research

Dec 17, 2014

(AP)—Napster co-founder Sean Parker missed most of his final year in high school and has ended up in the emergency room countless times because of his deadly allergy to nuts, shellfish and other foods.

LA mayor plans 7,000 police body cameras in 2015

Dec 16, 2014

Mayor Eric Garcetti announced a plan Tuesday to equip 7,000 Los Angeles police officers with on-body cameras by next summer, making LA's police department the nation's largest law enforcement agency to move ...

Merriam-Webster names 'culture' word of the year

Dec 15, 2014

A nation, a workplace, an ethnicity, a passion, an outsized personality. The people who comprise these things, who fawn or rail against them, are behind Merriam-Webster's 2014 word of the year: culture.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.