Theft of data on 4M patients part of wider problem

November 18, 2011 By DON THOMPSON and MARCUS WOHLSEN , Associated Press

The theft of a computer containing information on more than 4 million patients of a major Northern California health care provider may be among the largest breaches of health care data in recent years, but it's far from the only incident of its kind.

Over the last two years, have reported 364 incidents involving the loss or theft of ranging from names and addresses to Social Security numbers and medical diagnoses on nearly 18 million patients - equivalent to the population of Florida.

A thief stole medical information on more than 4 million patients of Sacramento-based Sutter Health last month by the simple act of breaking a window with a rock at the affiliated Sutter Medical Foundation. Stolen over the weekend of Oct. 15 were monitors, keyboards and a desktop computer containing dating to 1995.

Employees reported the theft to Sacramento police when they returned to work that Monday, Oct. 17, said Sgt. Andrew Pettit, but they didn't notify the public until Wednesday, a month later. The company said in announcing the theft Wednesday that some patients might not receive mailed notices until early next month.

"If that machine is that valuable, then there should be more where that is protected. There's got to be something in place to make sure that that doesn't happen," Pettit said.

Police were investigating the as a routine smash-and-grab property theft, he said, and so far there is no indication that the information in the computer has been used.

Since federal health care data breach notification rules took effect in 2009, Health and Human Services records show that the Sutter theft was exceeded only when the U.S. military's health insurance program lost backup tapes in September containing information on more than 4.9 million patients.

While Sutter said the computer was password-protected, the data on patients was not encrypted, drawing criticism from privacy and computer security experts.

"Had this data been encrypted, you and I wouldn't be having this discussion. It would be a nonissue," said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy organization based in Sacramento.

On a computer in which data is encrypted, a user would typically have to enter another password in addition to the computer's general password to access that specific data.

Information on about 3.3 million patients included name, address, date of birth, phone number, email address, medical record numbers and the name of the patient's health insurance plan. Information on another 943,000 patients also included dates of services and descriptions of medical diagnoses and procedures.

Sutter spokesman Bill Gleeson said the company waited a month because it took that long to determine which patients' information was contained in the computer. The company properly notified the federal government as well as others beyond what was required, he said, and hired a private investigator who so far has turned up no leads on the stolen computer.

The stolen computer was scheduled to be encrypted "very soon," he said. Sutter initially concentrated on encrypting hand-held and laptop computers because those were deemed more likely to be lost or stolen.

"We deeply regret that that computer was stolen and that information about our patients was included. We have no reason to believe that computer was taken for that information," he said. He added that Sutter has heightened security for the building and was working on encrypting all of its computers.

The stolen computer did not contain patient financial records, Social Security numbers, health plan identification numbers or actual medical records, Sutter said.

Though encrypting patient information is "highly recommended" by the federal government, Verizon health care and data security expert Dr. Peter Tippett said the health care industry lags behind the financial and high-tech industries by 10 to 15 years when it comes to protecting personal data.

"Overall, the health care system needs a lot of work at being more secure," Tippett said.

In most cases, Tippett said, computer thieves are simply looking to make a little cash reselling the stolen computer itself. Sometimes they may try to ransom the computer back to its original owner. If the data itself is accessed, usually by organized crime operations, he said criminals would generally try to use it to blackmail prominent people with potentially embarrassing diagnoses or steal patients' identities to fraudulently bill health insurers for medical procedures that weren't really performed.

The worst consequence an average patient could expect would be a bill for a co-pay for a procedure they never received, he said.

Tippett said blaming any incident of identity theft on the stolen Sutter computer would be tough. If exploited, the patient information on the stolen computer would simply be added to the insecure data available on most everyone already floating around on the world's computer networks.

"It's real. It will hurt some people. But it won't hurt the average person in Sacramento," he said.

Sutter appears to have followed state and federal law and faces little investigation at least from California, officials said, particularly if no damage results to individuals.

California Department of Managed Care spokeswoman Denise Schmidt said her agency is "looking into whether there may be an impact," but she couldn't say what that might entail.

State Department of Insurance spokesman Dave Althausen said his department would only become involved if there are fraudulent insurance claims as a result.

Sutter notified the state Department of Public Health, but didn't need to, said department spokesman Ralph Montano. His department would only have jurisdiction if the breach was from a hospital or nursing home, he said, not a medical foundation or physician services group.

Joanne McNabb, chief of the California Office of Privacy Protection, said Sutter was only required to notify the U.S. Department of Health and Human Services, which it did within the required 60 days.

It was also required to notify affected in "the most expedient time possible without unreasonable delay," she said, quoting a 2008 state law. A one-month delay might be reasonable because it could have taken that long to determine what information was on the computer, she said.

Consumers should watch out for bogus medical procedures showing up on health care notices, and should be careful not to be caught by crooks using their information to seek or other information, she said. But she said the data on the is relatively limited in the damage that could be done with it directly.

Explore further: Computer with info on 4M patients stolen in Calif.


Related Stories

Stanford Hospital privacy breach puts data online

September 9, 2011

(AP) -- Stanford Hospital in California is blaming a subcontractor used by an outside vendor for a privacy breach that led to the posting online of medical information for thousands of emergency room patients.

Hackers breach UC Berkeley computer database

May 8, 2009

(AP) -- University of California, Berkeley, officials said Friday that hackers infiltrated restricted computer databases, putting at risk health and other personal information on 160,000 students, alumni and others.

Nurses at dozens of Calif. hospitals strike

September 22, 2011

(AP) -- Nurses began picketing Thursday morning outside dozens of Northern and Central California hospitals as part of a one-day strike over benefit cuts and other concessions sought by hospital management.

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.