Sutter Health reports breach involving billing documents
Cathy Locke reports:
Sutter Health announced Friday that it is notifying 2,582 patients that personal information was included in electronic versions of billing documents that a former employee emailed to a personal account without authorization.
For all but two of the affected patients, no Social Security numbers, financial information or driver’s license data were included, according to a news release.
Read more on SacBee.
Sutter’s statement was posted to their news blog yesterday:
Sutter Health is notifying 2,582 patients that personal information was included in certain electronic versions of billing documents that a former employee emailed to a personal account without authorization. For all but two of the affected patients, no Social Security numbers, financial information or driver’s license data were included. This discovery occurred during a thorough review of the former employee’s email activity and computer access.
Sutter Health discovered the electronic information:
- For all affected patients, included name, date of birth, insurance identification number, date of service and billing code.
- For one patient, included a California driver’s license number.
- For one patient, included a Social Security number and California driver’s license number.
Most of the patients involved in the April 26, 2013 incident reside in the greater Sacramento region and are patients of Sacramento-based Sutter Medical Foundation.
On Aug. 27, 2015, Sutter Health began an investigation after learning of possible improper conduct by the former employee, who worked for Sutter Physician Services (SPS). SPS handles billing for Sutter Health’s physician medical foundations.
Sutter Health has no evidence that any of the patient information was used or disclosed to others. Patients receiving a letter mailed Sept. 11 will be offered free credit monitoring services for one year. Sutter Health also notified the appropriate government agencies.
Following is a statement from Stephen Lockhart, M.D., Ph.D., Sutter Health chief medical officer:
“Our patients trust us to provide their care and protect their privacy. We believe protecting patients’ health information is the responsibility of every employee. We require employees to sign confidentiality agreements. In addition, we train them to follow privacy and information security policies and regulations. We deeply regret this incident occurred.”
Patients with questions or concerns may call 1-877-235-0796 Monday through Friday, 6 a.m. to 5 p.m. Pacific Time. Patients, when prompted, will need to enter a 10-digit reference number: 2456090915.
The statement does not indicate how Sutter Health first learned of possible improper conduct. Were they alerted by law enforcement or did they learn of this via some other means?