SAN FRANCISCO — A February 5 break-in at the Torrance, CA office of Sutherland Healthcare Solutions resulted in the theft of computers that included patient information from Sutherland clients, including the San Francisco Department of Public Health (DPH).
Sutherland, which contracts with DPH to provide billing services, informed DPH on March 18 that personal information of approximately 55,900 San Francisco medical patients was stolen, including names, billing information, and in some cases social security numbers, dates and locations of services and dates of birth. The majority of patients were cared for at DPH facilities between August 2012 and November 2013.
“We take the security and privacy of patient information very seriously,” said Barbara Garcia, Director of Health. “We are working to ensure that all patients are notified and provided with resources to help them protect their privacy.”
There is no confirmation that there has been any attempted access or attempted use of the information involved in this incident. The health department will begin contacting affected patients by mail next week. In cases where a mailing address is not available, the department is conducting outreach to find and notify the individuals. The California Department of Public Health, the California Attorney General and federal authorities have been alerted.
Sutherland is offering San Francisco patients free credit monitoring and recovery services for one year with identity theft insurance coverage of up to $20,000. Starting on Monday March 24, patients may call Sutherland’s call center at 866-486-4809 or visit www.myidcare.com/idexpertshealthcareprotection to learn if they are affected and to access these services.
Records of approximately 168,500 patients of Los Angeles County departments of health services and public health also were stolen in the break-in. The criminal investigation is being led by the Torrance Police Department.
The San Francisco patients had used the outpatient medical services of the Health Department’s Community Oriented Primary Care Clinics or of the San Francisco General Hospital and Trauma Center emergency department or clinics. Most of them were uninsured.
Sutherland is a business processes and technology management services company based in Rochester, NY. As a contractor, Sutherland is obligated by the federal Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy. Sutherland has informed DPH how they are ensuring that patient information is secure and what steps they are taking to prevent an incident like this from happening again.
Sutherland’s response includes:
· Encrypting all computers
· Requiring all data be saved to share drives and not be saved on individual computers
· Cabling desktop computers to desks