A stolen unencrypted computer at Sutter Medical Foundation contained protected health information on more than 4.2 million patients. The information, however, does not include financial data, Social Security numbers, patient health plan ID numbers or medical records, according to the health system.

For that reason, Sacramento, Calif.-based Sutter Health is not offering paid credit/fraud protection services to affected patients. "Because the computer did not contain Social Security numbers, or any financial, credit card, debit card or bank account information, credit monitoring services would not be of value," the delivery system says on a Web site set up to disseminate information about the breach.

The desktop computer contained information for two affiliates of the delivery system--Sutter Physicians Services and Sutter Medical Foundation. A notice to patients includes a list of 21 physician practices affected by the breach.

The breach affected two sets of patients. For about 3.3 million patients from 1995 through January 2011 whose physicians are supported by billing and managed care services firm Sutter Physician Services, information on the computer included name, address, date of birth, phone number and e-mail address if provided. These patients are not being notified by mail but via the Sutter Web site and media stories, in compliance with state and federal regulations, according to a spokesperson.

There also was information on the computer about 943,000 patients of Sutter Medical Foundation from January 2005 through January 2011. The information on these patients also included dates of services and a description of diagnoses and/or procedures. Sutter has begun notifying these patients by mail.

Sutter has encrypted laptops and Blackberry devices across the delivery system and was in the process of encrypting computers at the time of the theft, and that process has been accelerated.

To view a slideshow on steps to take after a data breach, click here.


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access