In April, the Oklahoma State Department of Health (OSDH) announced that a laptop and 50 papers containing medical information on over 133,000 persons were stolen from an employee's car. Then in September, TRICARE backup tapes containing data on 4.9 million patients from 1992 to most of 2011 were stolen out of a Science Applications International Corporation (SAIC) employee's car.
Now comes word this week that a desktop computer belonging to California's Sutter Medical Foundation that contained the records of over 4 million patients - some dating as far back as 1995 - was stolen from the Foundation's offices in mid-October.
According to this story in the Sacramento Bee, the patient information on the desktop was password protected but not encrypted. The Bee reports that for 3.3 million patients whose providers are supported by Sutter Physician Services and for 943,000 patients of the Sutter Medical Foundation itself, the computer contained their "... names, addresses, email addresses, dates of birth, telephone numbers and names of patients' health insurance plans."
The Sutter Health Foundation's press release quoted Sutter Health President and CEO Pat Fry as stating:
"Sutter Health holds the confidentiality and trust of our patients in the highest regard, and we deeply regret that this incident has occurred. The Sutter Health Data Security Office was in the process of encrypting computers throughout our system when the theft occurred, and we have accelerated these efforts."
That last sentence is likely cold comfort to those whose information was stolen.
Earlier this month, the payment information of some 8,000 people using Lawrence [Kansas] Memorial Hospital’s online patient bill-pay-services operated by its vendor Mid Continent Credit Services was discovered to have been publicly accessible since possibly as early as 2005. According to stories (here and here) appearing at Wellscommon.com, in late October, information on 28 LMH patients was discovered to be inadvertently posted online, including their names, contact information, health care provider and medical payments.
This led to an investigation that led to officials to worry that information on thousands more patients was also accessible, including says the Wellscommon.com story, the patients' name as well as their:
"... phone number, email address, health care provider, payment amount and date of payment;"
"Credit card information, including the type of card, name and address of the card holder, the account number, the verification number and the expiration date; [and]"
"Checking account information, including the check number, the account holder name and address, the checking account number and bank routing number, and the bank name and address."
LMH reportedly is expecting a Federal investigation into the situation and a fine. It has suspended online payments, and is looking for a new payment processing vendor, too. LMH director of community relations is quoted as saying:
"We take privacy and security of patient information very seriously and we sincerely apologize for the inconvenience caused by this event."
Both the Sutter Medical Foundation and Lawrence Memorial Hospital are in good company. The security company IdentityHawk reported that there were 58 publicly reported data breaches in October that resulted in the potential compromise of 12, 279,616 online records. The company reported that for September, they counted 54 data breaches and 10,461,621 records potentially compromised.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
