A class-action lawsuit was filed against Sutter Health in connection with the theft last month of a computer that contained personally identifiable patient data. The suit asks a California court to require Sutter to encrypt its data at rest and seeks $1,000 a person in damages for each member of the class of nearly 1 million people whose records were on the stolen office computer.
Class-action suit filed against Sutter
The 10-page complaint (PDF) filed Monday in Sacramento Superior court names Karen Pardieck as the lead plaintiff and Sutter Health, Sutter Medical Foundation and Sutter Physician Services as defendants. Pardieck received a letter dated Nov. 16 from Sutter Medical Foundation CEO Tom Blinn informing her of the breach, according to the complaint. The proposed class consists of "more than 944,000 Sutter patients" who received similar letters.
According to a Sutter statement released Nov. 16, the theft occurred at an administrative office in Sacramento over the weekend of Oct. 15 and involved two databases on the same desktop computer.
One database held records of 3.3 million patients from 1995 to January 2011 compiled by Sutter Physician Services, which provides billing and managed-care services for physicians, including those in the Sutter network. The data included patient names, dates of birth, phone numbers and e-mail addresses as well as the names of patients' insurance plans and their medical record numbers.
The computer also held a second database of about 943,000 records of Sutter Medical Foundation patients that included the same demographic information as well as descriptions of patient diagnoses, procedures and dates of service from January 2005 to January 2011, according to Sutter. Because the data on the latter group of patients was "broader in scope," Sutter announced that those affected would be sent notices by mail, to be received “no later than Dec. 5.”
The lawsuit contends that Sutter failed to properly secure the medical information in violation of the California Confidentiality of Medical Information Act. It specifically alleges that "Sutter is and was negligent by failing to store its patients' medical information in an encrypted form." Sutter also "unreasonably delayed" its notification for at least 30 days in violation of state law, which requires notification in the "most expedient time possible," according to the complaint.
Sutter Communications Director Karen Garner said in an e-mail Sutter hasn't reviewed the complaint and can't comment on pending litgation. She added: "I do want to reiterate that we take our responsibility of providing quality care very seriously, and that includes protecting our patients' personal and medical information. We deeply regret the theft and any concern or inconvenience this has caused for patients. We've already taken steps to prevent something like this from happening again." Garner added that "we have no reason to believe the computer was taken for the information it contained."
Send us a letter