A desktop computer stolen from a Northern California health care system contained the personal information of roughly 4.2 million patients, the organization revealed Wednesday.
Sutter Health, a nonprofit network of doctors and hospitals serving 100 communities, said in a notice to patients that the computer was not encrypted when it was stolen Oct. 17 from Sutter's headquarters in Sacramento.
A database on the computer housed the names, addresses, birth dates, phone numbers, and medical record numbers of 3.3 million patients of Sutter Physician Services, which provides billing and managed care services for various health care providers. Also included were the names of the patient's health insurance plan. The assets were recorded beginning in 1995 until January of this year.
The same details of another 943,000 patients of the Sutter Medical Foundation also were compromised, in addition to the medical diagnoses and procedures they received from January 2005 to 2011.
Sutter elected to notify the 943,000 instead of the others because the information about them was "broader in scope."
In response to the incident, the company said it plans to expedite its plans to encrypt all desktops.
"[Sutter] has already encrypted portable laptops and Blackberries systemwide, and was in the process of encrypting desktop computers throughout the system when the theft took place," the notice said.
This is the second massive health care breach in less than two months. In late September, backup tapes containing the personal information of nearly five million current and former U.S. soldiers, who received treatment at military clinics and hospitals, went missing.
Data on the backup tapes belonged to Tricare, a health benefits provider for military personnel, retirees and their dependents, but the information had been entrusted to Science Applications International Corp. (SAIC), a high-tech defense contractor, which reported the breach.
The compromised data belonged to 4.9 million people who, from 1992 to Sept. 7 of this year, sought care at military treatment facilities in the San Antonio, Texas area, according to a Tricare statement. The data included Social Security numbers, addresses and phone numbers, in addition to health assets such as clinical notes, lab test reports and prescription information.