Two northern California healthcare organizations have sent letters to more than 17,000 patients notifying them that their personally identifiable medical records have been exposed in separate breach incidents.
Meanwhile, links between one of the breaches
and a meth amphetamine investigation may have national implications, according to a California-based privacy expert.
Three healthcare sites in Sutter Health's East Bay region may have been the source of about 4,500 patient records recovered by the Alameda County Sheriff's Department during a meth amphetamine investigation, according to a letter addressed to patients
and posted on the breach notification website maintained by the California attorney general's office. The records were found during a meth amphetamine bust, according to news reports
According to the letter, the information included patients' names; dates of birth; Social Security numbers; addresses, including ZIP codes; home and work phone numbers; gender; marital status; and their employers' names.
Pam Dixon, founder and executive director of the World Privacy Forum, said data analysis her organization is currently performing on records from the Justice Department, the Federal Trade Commission and HHS' Office for Civil Rights has revealed “a really weird pattern” of correlation between medical record breaches, medical identity theft and meth amphetamine trafficking.
“This is not a Mom and Pop crime,” Dixon said. “This is a very sophisticated crime.”
“They'll go in and by whatever means they can, they will acquire healthcare files and start getting prescriptions for meth amphetamine precursors. They'll steal people's identities, a lot of them, and they'll write prescriptions for that. They would parse out these prescriptions over a long, long period of time and over a lot of people.”
Dixon said northern and southern California as well as Colorado have become “hot spots” for this activity.
A spokesman for the Alameda County Sheriff's Department could not be reached for comment. Sutter spokeswoman Stacey Wells said she could not comment on the investigation.
The larger of the two breach incidents occurred at the Lucile Packard Children's Hospital at Stanford University in Palo Alto, Calif., when a “password-protected, non-functional laptop” was reported as stolen on May 8 from a “secured, badge-access controlled area of the hospital,” according to a June 12 hospital news release
The laptop contained data on the hospital's operating room schedules over a three-year period beginning in 2009 and possibly affecting 12,900 patients, according to the release.
The hospital said the disclosed information could have included the patients' names; ages; medical record numbers; telephone numbers; scheduled surgical procedures; and names of physicians involved in those procedures. The hospital is offering a year of identity-theft protection to the families affected.
The latest Sutter Health incident is not yet posted to the website of the Office for Civil Rights at HHS
, where breaches exposing the patient-identifiable medical records of 500 or more individuals are displayed.
Two earlier Sutter breach incidents are. One is a 2011 breach involving the Sutter Gould Medical Foundation, a Sutter Health medical group based in Modesto, and a business associate, Fidelity National Technology Imaging, and the loss of 1,192 paper records, according to the OCR site.
Another, later that year, involved the theft from a Sutter office in Sacramento
of a computer more than 4.2 million patient records, including 943,434 patient medical records, the seventh largest breach reported on the site.
Thus far, the records of nearly 22.2 million individuals have been exposed in 619 major breaches listed on what has become known as the OCR's “wall of shame.” Follow Joseph Conn on Twitter: @MHJConn