A Sutter Medical Foundation computer stolen in mid-October held information on more than 4 million patients, some dating back to 1995, Sutter Health officials said Wednesday.
The information, primarily demographic, but also containing descriptions of medical diagnoses and procedures, was stored on a password-equipped but unencrypted desktop computer in the administrative offices of Sutter Medical Foundation in Natomas, said Sutter Health spokeswoman Nancy Turner.
The breach is immense in its scope.
For 3.3 million patients whose providers are supported by Sutter Physician Services, names, addresses, email addresses, dates of birth, telephone numbers and names of patients' health insurance plans dating from 1995 were contained in the computer's database.
Sutter Physician Services provides billing and managed-care services for health care providers, including those in the Sutter Health network.
The computer contained the same information for 943,000 more Sutter Medical Foundation patients. It also included data on foundation patients from January 2005 to January 2011, such as dates of services and description of medical diagnoses or procedures used for business operations.
The computer was swiped the weekend of Oct. 15, along with monitors and other equipment during a break-in at the foundation's offices on Gateway Oaks Drive. Employees returned to work Oct. 17 to find a broken window and the terminal and other equipment missing. A report was filed with Sacramento police, Turner said.
Sutter Health officials have since hired a private investigator in an attempt to recover the stolen computer, and notified the California Department of Public Health and the U.S. Department of Health and Human Services about the theft and data breach.
State public health officials contacted Wednesday said they were notified, but said they have no jurisdiction over Sutter Medical Foundation and are not investigating the incident.
The Sutter Health network was in the process of encrypting data on its desktop computers, Turner said, but the stolen computer had not yet been processed. The encryption efforts began in 2007, starting with laptops and hand-held devices, before moving to desktops, she said.
Sutter officials said they are "accelerating these efforts" following the October theft.
Encryption technology scrambles computer data, making it more difficult for unauthorized users to access.
Storage of patient data on an unencrypted desktop computer is "unusual, but sometimes necessary" to handle the volume of information, Turner said.
In a letter mailed Wednesday to Sutter Medical Foundation patients, foundation CEO Tom Blinn said, "We deeply regret that this incident has occurred and we are taking steps to prevent this from ever happening again."
Sutter Medical Foundation runs a series of clinics in the Sacramento region. The Foundation network includes Sutter Medical Group, Sutter Independent Physicians and Sutter North Medical Group.
Foundation patients are being notified by mail of the data breach and the steps they should take, which amounts to reviewing their insurance information and contacting their insurance provider.
Sutter officials stressed that the stolen computer did not contain patient financial information or medical records, Social Security numbers or patients' health plan identification numbers.
But that did little to satisfy Sutter patients who wondered why such safeguards were not already in place.
"Don't tell me you're in the process (of encrypting). All computers should be encrypted period," said Susan Schneidt of Rancho Murieta, who called a Sutter Health information line on Wednesday. "What sensitive personal information is out there? This is not what I went to the doctor for."
Patients concerned about their information can go to Sutter Health's website, www.sutterhealth.org, to find a list of affected health providers or call toll-free at (855) 770-0003 between 8 a.m. and 5 p.m.
Patients will be asked to enter the 10-digit reference code: 7637111511.