Hospital operator Sutter Health last week said personal information on more than 2,500 patients was improperly emailed by a former employee in 2013, representing a possible breach of patient data.
The possible breach is the latest privacy violation for the major California-based health system.
According to a notice posted on Sutter’s website on Sept. 11, the former employee at Sutter Physician Services emailed the records of 2,582 patients to a personal account without authorization. They included name, date of birth, insurance identification number, date of service and billing code. In two cases a driver’s licenses number was accessed and in one case the patient’s Social Security number was included.
The company said no financial information was leaked.
Sutter said the event occurred in April 2013, and was recently discovered through a review of the former employee’s email and computer use.
Sutter began its investigation on Aug. 27.
“Our patients trust us to provide their care and protect their privacy,” Sutter Health chief medical officer Stephen Lockhart said in the announcement. “We believe protecting patients’ health information is the responsibility of every employee. We require employees to sign confidentiality agreements. In addition, we train them to follow privacy and information security policies and regulations. We deeply regret this incident occurred.”
While this potential breach is relatively small, Sutter is no stranger to security issues. In one of the largest breaches, the system in 2011 saw the records of more than 4 million patients breached after an unencrypted company desktop computer was stolen. The company faced billions in payments in a consolidated class action suit that was later dismissed.
As for 2015, this is third breach for Sutter. In January and again in March, hundreds of patients charts were stolen from Sutter hospitals.
Sutter said it will pay for free credit monitoring services for one year for all affected patients.