Sutter Lakeside reports data breach; records of 45,000 people at risk
Written by Elizabeth Larson
Monday, 10 December 2007
LAKEPORT – A potential breach of Sutter Lakeside patient records has put the information of an estimated 45,000 people at risk, hospital officials reported Monday.
Steps to protect against fraud
For those who have received a notification from Sutter Lakeside, the hospital recommends taking the following actions to reduce the risk of information misuse:
1. Follow the steps outlined at www.privacy.ca.gov/cover/identitytheft.htm to protect private information (or request this information from the California Office of Privacy Protection by calling 1-866-785-9663).
2. With your prior authorization, Sutter Lakeside will pay for a credit check. To take advantage of this free credit report, call the telephone HOTLINE that has been established: 1-866-785-6443. The hotline will be staffed Monday-Friday from 8 a.m. to 5 p.m. through January 2008.
3. As an added precaution, place a “fraud alert” on your credit file by calling one of the three major credit bureaus (they will notify the other two). There is no cost to do so.
TransUnion: 1-800-680-7289 (www.transunion.com)
Experian: 1-888-397-3742 (www.experian.com)
Equifax: 1-888-766-0008 (www.equifax.com)
The statement from Sutter Lakeside followed a Dec. 6 letter sent to the thousands of patients in question, informing them of the data breach, according to a copy of the letter obtained by Lake County News.
Sutter Lakeside spokesman Mitch Proaps said Monday that a laptop computer containing personal and medical information of certain former patients, employees and physicians was stolen from the residence of a man working as an information technology contractor on Nov. 18.
The information on the laptop included names, addresses, phone numbers, dates of birth and Social Security numbers, said Proaps. “There were a small number that included insurance billing and health diagnosis information as well,” he added.
Most of the names were contained in a radiology system upgrade, one of a handful of hospital databases, said Proaps.
He said the hospital did not know how many of the affected individuals live in Lake County. The number of patients was high because it included individuals who had had both outpatient and inpatient care. This year, Proaps reported that the hospital had 2,600 inpatient discharges, with 82,000 outpatient visits.
“What we know about these names is the list dates back to 2005 and prior, but we don't know how far back prior,” he said.
Besides the unauthorized transmission of the information to the laptop, Proaps said, “At this time we have no knowledge of any misuse of this information.”
The theft, said Proaps, did not occur in Lake County, but another city, which he did not reveal because of an ongoing investigation. He said a police department in the contractor's city of residence is investigating the theft.
The contractor in question, said Proaps, was working with the hospital's information technology department on a system upgrade. The information, dating from 2005 and earlier, was to be transferred from one secure system to another as part of a system upgrade process.
Proaps said the contractor had authorization to access the information through a secure virtual private network.
“He was not authorized to transmit the data directly to the laptop hard drive,” said Proaps, because it takes the data out of the hospital's control.
The contractor did not explain why he transferred the information to his laptop, said Proaps.
Initially, hospital officials “had no reason to suspect” that the laptop contained confidential data; however, an internal review of archives confirmed the probability that the hard drive had contained personal information, according to Sutter Lakeside's report.
Once the hospital discovered that the laptop had contained confidential information, officials “immediately began taking steps to notify those individuals whose information may have been involved and to establish a hotline for people with questions.”
Proaps said Sutter Lakeside is pursuing a deductive investigation to determine just what was on the laptop.
The laptop was password protected; hospital officials reported that makes it difficult, but not impossible, for someone to break into the machine to access the patient information.
Sutter Lakeside emphasized that they have no reason to suspect the information on the laptop has been accessed or misused but have notified approximately 45,000 people of the incident via mail.
Proaps said Sutter Lakeside also contacted the Sutter organization's legal and risk compliance departments for guidance after the information loss was discovered.
While there is no mandatory reporting agency on such data breaches, Proaps said the hospital reported the situation to the Department of Health Services.
Sutter Lakeside Chief Executive Officer Kelly Mather said in a written statement issued Monday morning that the hospital is making every effort to address the situation.
“We work in an environment where protecting individuals’ information is absolutely as important as providing quality service and care. Storing this type of information on a laptop hard drive is at variance with our organization’s strict policies,” said Mather.
“We have discontinued our business relationship with the contractor involved,” said Mather. “To reinforce a secure data environment this day forward, we already have taken aggressive steps to provide additional training to our managers, to conduct audits of all portable computer devices and to re-evaluate our policies and procedures where appropriate. Additionally, we have ordered the latest encryption software and will be installing it on our computer devices.”
Proaps said the hospital terminated work with the contractor as soon as its investigation revealed that protected information was on the laptop.
The investigation into the theft is ongoing, said Proaps. Mather's statement noted that the hospital is “fully cooperating with law enforcement in hopes of retrieving the stolen laptop.”
Proaps said the most important thing for the hospital to do now is let people know of the potential breach and inform them of how they can protect themselves.
Although such a data breach hasn't happened in other parts of the Sutter organization, there are hundreds of such data breaches on an annual basis around the country, said Proaps. “But that doesn't comfort any of us.”
The Privacy Rights Clearinghouse, a nonprofit group that tracks data breaches, reports that more than 216 million records containing sensitive personal information have been compromised in security breaches across the United States since January 2005.
The group also reported that between 2002 and 2006, 478 laptops were lost or stolen from the Internal Revenue Service, with 112 of the computers holding sensitive taxpayer information.
In this month alone, several instances of stolen laptops at research and health care facilities and blood banks were reported, according to the Privacy Rights Clearinghouse.
E-mail Elizabeth Larson at
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
.
Prob #1. Why does Sutter have sensitive data in a system not protected against unauthorized downloads? ANY download of that amount of data should set off alarms when it happens, not weeks later,
Prob #2. Where did that laptop go missing and why can't we know-the line about it jepordizing the investigation is BS.
Prob #3. why can't we know who did the data download (which should be a crime), and who was he working for?
Prob #4. exactly WHEN did Sutter know, it had to have been at least a WEEK AGO!
Prob #5.I have plenty of good reasons to hate Sutter, now I have one more!
taxismom - sutter health - putting profit
Registered | 12-11-2007 10:30:23
contracting out hospital services ....
home page
http://www.suttercorporatewatch.com/index.php
5176 Hill Road East
Lakeport, CA 95453
2003 Profits:*
$3,702,821 CEO:
Kelly Mather
2003 Operating Margin:*
6.58% 2003 Compensation:**
$305,114
STAFFING*
Productive Hours/Adjusted Patient Day
Facility Statewide
Average
Non-management Total 28.07 23.86
CHARITY CARE*
Charity Care Costs $64,113
Facility Statewide
Average
Charity Care (as % of)
Net Patient Revenue 0.12% 1.08%
* 2003 OSHPD Annual Financial Data
** 2003 IRS 990 (Partial form posted due to large file size. Request a full copy.)
Productive Hours per Adjusted Patient Day
Indicator of visit volume which adjusts patient days to account for outpatient visits.
Patient Days
Common term used in the hospital industry to measure the volume of patients a hospital admits and cares for over a certain period of time. "Patient days" are defined as the total number of days that all admitted patients spent in the hospital during a given period. It includes the day a patient is admitted, but not the day the patient is discharged.
yellowwing
Registered | 12-11-2007 10:32:30
There are plenty of software programs to encrypt laptops, etc. so that in the event one goes missing the data is secure.
Unfortunately we have received letters from FOUR different entities this year telling us that a laptop is missing, or some idiot put our SSNs on the OUTSIDE of an envelope, or their business was broken into.
It is reprehensible that companies with our sensitive data do not have the data encrypted for OUR protection.
The bigger question should be - why is personal information downloaded into a laptop? Why is the information permitted to be mobile in the first place?
scoarter - BS?
Registered | 12-11-2007 13:50:41
Hey smurf,
Re: your #2...you won't think it's BS when the thief finds out what is actually on the laptop because he reads it in the news! As a former investigator, I'd say law enforcement probably asked them to keep the details quiet!!!
smurf - reality check
Registered | 12-11-2007 19:47:24
how many laptops were stolen in this general area on November 18th from somebody's home? That info is already out there, so not telling us where it got swiped won't make any difference. I suspect they have other resons for not telling, that are more along the lines of avoiding further emberrassment for Sutter.
