ID Experts December 05, 2011 Subscribe to the ID Experts Blog
Back to blog

Sutter Health Data Breach – Preventative Actions Could Have Helped

Guest Blog by Eric Nelson, Practice Leader – Privacy and Information Security, Lyndon Group

The Sutter Health breach is an unfortunate example of how many healthcare-related organizations currently manage an individual’s personal health information.   Privacy and information security may be recognized as a compliance risk, but organizations may not take a proactive approach due to limited resources or budget constraints.

It appears that the Sutter breach could have either been prevented or the scope of the breach mitigated by following some basic best practices and adhering to HIPAA privacy and security rule requirements.  Some basic preventative actions that Sutter should have taken include:

  • Perform a periodic inventory of protected health information (PHI) to identify internal and external systems and/or applications that contain personal data – Sutter was quoted that it took them a month to notify affected individuals because they couldn’t determine which patient’s data may have been on the computer.
  • Conduct periodic risk assessments and gap analysis relating to privacy and information security-related policies, processes and procedures – a comprehensive risk analysis may have identified the physical vulnerability of Sutter’s locations; the administrative vulnerabilities associated with storing 4 million patient records on one computer; and, the technical vulnerabilities including the need to restrict unauthorized access and encrypt at-risk data.
  • Develop privacy and information security related performance and activity metrics, e.g., performing ongoing compliance reviews, physical walk-throughs (roundings), hotline and complaint management, etc. and ensure that these metrics are an integral part of an organization’s corporate governance program.
  • Develop a comprehensive incident response plan that includes primary and secondary response team contacts, third party contacts, state and federal reporting procedures, risk assessment procedures (to determine notification requirements) and incident review and mitigation policies and procedures.

Sutter still has many questions to answer, including why did a single desktop workstation contain the data on approximately 4 million individuals since 1995 and if encryption efforts started in 2007, how many other computers that contain PHI are still unencrypted?

Perhaps the good news is that other organizations may become aware of the Sutter breach and take appropriate steps to protect their patient’s information and mitigate the financial and reputational impact of a data breach.

Back to blog