- Elizabeth Larson
- Posted On
Sutter Lakeside reports data breach; records of 45,000 people at risk
The statement from Sutter Lakeside followed a Dec. 6 letter sent to the thousands of patients in question, informing them of the data breach, according to a copy of the letter obtained by Lake County News.
Sutter Lakeside spokesman Mitch Proaps said Monday that a laptop computer containing personal and medical information of certain former patients, employees and physicians was stolen from the residence of a man working as an information technology contractor on Nov. 18.
The information on the laptop included names, addresses, phone numbers, dates of birth and Social Security numbers, said Proaps. “There were a small number that included insurance billing and health diagnosis information as well,” he added.
Most of the names were contained in a radiology system upgrade, one of a handful of hospital databases, said Proaps.
He said the hospital did not know how many of the affected individuals live in Lake County. The number of patients was high because it included individuals who had had both outpatient and inpatient care. This year, Proaps reported that the hospital had 2,600 inpatient discharges, with 82,000 outpatient visits.
“What we know about these names is the list dates back to 2005 and prior, but we don't know how far back prior,” he said.
Besides the unauthorized transmission of the information to the laptop, Proaps said, “At this time we have no knowledge of any misuse of this information.”
The theft, said Proaps, did not occur in Lake County, but another city, which he did not reveal because of an ongoing investigation. He said a police department in the contractor's city of residence is investigating the theft.
The contractor in question, said Proaps, was working with the hospital's information technology department on a system upgrade. The information, dating from 2005 and earlier, was to be transferred from one secure system to another as part of a system upgrade process.
Proaps said the contractor had authorization to access the information through a secure virtual private network.
“He was not authorized to transmit the data directly to the laptop hard drive,” said Proaps, because it takes the data out of the hospital's control.
The contractor did not explain why he transferred the information to his laptop, said Proaps.
Initially, hospital officials “had no reason to suspect” that the laptop contained confidential data; however, an internal review of archives confirmed the probability that the hard drive had contained personal information, according to Sutter Lakeside's report.
Once the hospital discovered that the laptop had contained confidential information, officials “immediately began taking steps to notify those individuals whose information may have been involved and to establish a hotline for people with questions.”
Proaps said Sutter Lakeside is pursuing a deductive investigation to determine just what was on the laptop.
The laptop was password protected; hospital officials reported that makes it difficult, but not impossible, for someone to break into the machine to access the patient information.
Sutter Lakeside emphasized that they have no reason to suspect the information on the laptop has been accessed or misused but have notified approximately 45,000 people of the incident via mail.
Proaps said Sutter Lakeside also contacted the Sutter organization's legal and risk compliance departments for guidance after the information loss was discovered.
While there is no mandatory reporting agency on such data breaches, Proaps said the hospital reported the situation to the Department of Health Services.
Sutter Lakeside Chief Executive Officer Kelly Mather said in a written statement issued Monday morning that the hospital is making every effort to address the situation.
“We work in an environment where protecting individuals’ information is absolutely as important as providing quality service and care. Storing this type of information on a laptop hard drive is at variance with our organization’s strict policies,” said Mather.
“We have discontinued our business relationship with the contractor involved,” said Mather. “To reinforce a secure data environment this day forward, we already have taken aggressive steps to provide additional training to our managers, to conduct audits of all portable computer devices and to re-evaluate our policies and procedures where appropriate. Additionally, we have ordered the latest encryption software and will be installing it on our computer devices.”
Proaps said the hospital terminated work with the contractor as soon as its investigation revealed that protected information was on the laptop.
The investigation into the theft is ongoing, said Proaps. Mather's statement noted that the hospital is “fully cooperating with law enforcement in hopes of retrieving the stolen laptop.”
Proaps said the most important thing for the hospital to do now is let people know of the potential breach and inform them of how they can protect themselves.
Although such a data breach hasn't happened in other parts of the Sutter organization, there are hundreds of such data breaches on an annual basis around the country, said Proaps. “But that doesn't comfort any of us.”
The Privacy Rights Clearinghouse, a nonprofit group that tracks data breaches, reports that more than 216 million records containing sensitive personal information have been compromised in security breaches across the United States since January 2005.
The group also reported that between 2002 and 2006, 478 laptops were lost or stolen from the Internal Revenue Service, with 112 of the computers holding sensitive taxpayer information.
In this month alone, several instances of stolen laptops at research and health care facilities and blood banks were reported, according to the Privacy Rights Clearinghouse.
E-mail Elizabeth Larson at This email address is being protected from spambots. You need JavaScript enabled to view it..
{mos_sb_discuss:2}