Sutter Health of California suffered the theft of a computer containing health information on 4.2 million patients. A Sacramento law firm filed a class action lawsuit in Sacramento Superior Court on November 21, 2011, seeking $1,000 per patient plus attorney’s fees and costs. The data consisted of the name, address, date of birth, phone number, and email address if provided for about 3.3 million patients. In addition, a description of diagnoses and services provided was breached for another 943,000 patients.
The lawsuit alleges that Sutter violated state requirements to adequately protect the confidentiality of medical information and to notify affected persons within 30 days. California law, unlike HIPAA, requires notification of all breaches whereas HIPAA requires notification of only unsecured (readable) protected health information (“PHI”) if the covered entity’s risk analysis of the breach demonstrates a risk of compromise of the PHI’s security, integrity, or privacy.
Of course, although the notification rules are different, the filing under state law does not mean that the breach was not a HIPAA breach, as well. If Sutter had done a risk analysis and determined that the breach did not pose one of those risks so it was not reportable under HIPAA, that action might provide a defense in the state court case because the plaintiffs would have to prove damages—that is, that the breach caused harm.
Regardless of whether the stolen computer was a desktop or a laptop, Sutter Health (and the patients) would be in far better shape had the PHI been encrypted. Encryption would have placed it within the “safe harbor” that makes the compromise of the equipment or media nonreportable to DHHS. See my November 15, 2011, blog posting about the need for physicians to encrypt PHI.
Because of this and other breaches, I have written a new policy on the movement of PHI to ensure that it is adequately protected. The new Sample Movement of PHI Policy is now posted in the Premium Member Section of this website.
Now that my latest book is out, How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, I might suggest that perusing it now at one’s leisure before a breach happens would be wise because a lot of harm could occur while one is obtaining the book and digesting its guidance in the aftermath of a breach and the ensuing panic.