In yet another breach incident, Sutter Health, an integrated delivery system, reported theft of a desktop device during the weekend of Oct 15 and 16. Sutter Health was in the process of encrypting all desktop computers when one of the devices yet to be encrypted, was stolen from an administrative office of Sutter Medical Foundation, a physician network based in Sacramento, California.
While the computer contained records of 4.2 million patients, it is believed that it did not include Social Security Numbers, Health Plan IDs, Medical records, or financial information of any of the patients. Rather, it contained a database of Sutter Physician Services, which provides billing and other administrative services to 21 Sutter units. It included names, addresses, dates of birth, phone numbers, email ids, medical record numbers, and health insurance plans of 3.3 million patients collected from 1995 through January 2011.
This apart the device also contained a database with information on 943,000 patients of Sutter Medical Foundation. While this smaller database included the same demographic details as the larger one, it also had the dates of service, and description of diagnoses and procedures. Sutter Health will soon notify these 943,000 patients whose records contained more extensive information.
In its statement Sutter Health has declared that all laptops and BlackBerries in the facility were already encrypted, and desktop computers were in the process of being encrypted when the theft took place. Following this incident Sutter Health has ramped up security measures implementing routine security updates, reinforcing security practices, and encrypting all computers. While Sutter Health is working with the police on the investigation, and taking corrective action to remediate the situation, a security solution like SecureGRC could have actually prevented such an incident from taking place. Its security monitoring and compliance management capabilities can effectively support an organization’s security policies and ensure complete information safety.