A group of patients filed a class-action lawsuit against Sutter Health this week, after it was revealed a laptop containing information on more than 4 million patients was stolen from the headquarters of the Sutter Medical Foundation (SMF) in Natomas, California.
The lawsuit, filed in the Sacramento Superior Court on behalf of plaintiff Karen Pardieck, is seeking $1,000 for each of the 944,000 patients involved in the class, plus attorneys' fees. In total, the lawsuit amounts to more than $1 billion.
Earlier this month, Sutter Health revealed that a company-issued laptop had been stolen from the administrative offices of the SMF on October 15. The computer, according to a press release from Sutter Health, was password-protected, but much of the data contained on it was unencrypted. No medical records were stored on the computer, but the machine did hold a database that contained information on 3.3 million Sutter Physicians Services (SPS) patients and 943,000 SMF patients.
According to the healthcare provider, the database contained names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and the name of each patient's health insurance plan. The healthcare provider explained that the data regarding the SMF patients was even more extensive, as it included dates of services and descriptions of medical diagnoses and procedures.
According to the Sacremento Bee and other news providers, the lawsuit alleges that Sutter Health was negligent in protecting its patients' sensitive information and then was slow to notify those affected by the breach.
"Sutter should've had that under lock and key," attorney Robert Buccola of law firm Dreyer Babich Buccola Wood, which filed the suit, said, according to the Sacramento Bee. "If there's proprietary information in their files, they have a financial interest to make sure security is of the utmost importance."
Sutter Health claimed that it had encrypted some of the information on other systems, according to the Sacramento Bee, but it hadn't gotten to the laptop in question.
At this point, it is unclear whether the stolen information has been misused.
Data breach notification has been a point of contention for some time, and it is playing a role in the Sutter Health case as well. According to the Sacramento Bee, Sutter spokesman Bill Gleeson contends that the healthcare provider responded appropriately to the situation after it took time to determine what was on the stolen laptop. However, those involved in the suit argue that a month is too long to wait to notify those affected by a breach.
This situation is being addressed by several bills currently making their way through the U.S. Congress. Senators Patrick Leahy and Richard Blumenthal, as well as Representative Mary Bono Mack and others, have introduced bills that would consolidate the 47 data breach notification standards currently used by the states and Washington, D.C.
In September, the Senate Judiciary Committee approved Leahy's Personal Data Privacy and Security Act of 2011, which would create a national standard for data breach notifications. However, the proposal has not yet been made into law.
Should Congress pass Leahy's or others' bills, it could have a significant impact on cases like that of Sutter Health, as it would establish how long an organization can wait before notifying those affected by data breaches. At the moment, Sutter Health expects all patients affected by this latest incident to receive notices by December 5.
Data Security News from SimplySecurity.com by Trend Micro