said Wednesday that a desktop computer containing data for 4.24 million patients was stolen from its headquarters in Sacramento over the weekend.
In a press release issued Wednesday Sutter said no Social Security numbers were kept on the stolen computer, which was not protected by encryption software.
But for nearly 1 million patients the data loss was serious enough that Sutter said they will be notified by mail.
The affected local facilities include and , as well as the Alta Bates Summit Medical Center in Berkeley, the Sutter East Bay Medical Foundation, which represents more than 200 health providers in 10 East Bay cities and almost two dozen more.
The information that was compromised was collected between 1995 and January 2011.
Sutter identified two classes of patient data affected by the breach.
For 3.3 million patients the following information was lost: Name, address, date of birth, phone number, email address (if provided), medical record number and the name of the patient’s health insurance plan.
Another 943,000 Sutter Medical Foundation patients were victims of a more serious data breach.
In addition to the information listed above, the lost data included the dates of service and descriptions of medical diagnoses and/or procedures used.
Sutter said these 943,000 patients would be notified by mail no later than Dec. 5 because the data loss in their case was "broader in scope."
Karen Barney, a spokeswoman for the nonprofit Identity Theft Resource Center in San Diego, explained why.
With a list of email addresses, identity thieves could go phishing — that means trying to trick the recipient of a message into divulging Social Security and/or bank account numbers.
"The more information you give a predator the easier it is for them to trick you into thinking they are legit," Barney said.
Therefore if phishers get data about the dates and nature of treatments affecting this second group of patients, they would be in a better position to pull off a data theft, she said.
Sutter has established a toll-free helpline to answer questions and to help patients determine whether their data was included. Call (855) 770-0003 on weekdays from 8 a.m. to 5 p.m.
When prompted, patients should enter this 10-digit reference code: 7637111511.
In addition to the two local hospitals, Sutter said the affected facilities include:
- Albany Family Practice
- Alta Bates Medical Associates
- Alta Bates Medical Group
- Alta Bates Summit Medical Center
- Central Valley Medical Group
- County of Yolo Department of Health
- Family Doctor Medical Group
- Oakcare Medical Group
- Sutter Amador Hospital
- Sutter Coast Hospital
- Sutter East Bay Medical Foundation
- Sutter Express Care
- Sutter Gould Medical Foundation
- Sutter Independent Physicians
- Sutter Lakeside Hospital
- Sutter Medical Centers of Sacramento
- Sutter Medical Center of Santa Rosa
- Sutter Medical Foundation
- Sutter Pacific Medical Foundation
Sutter Chief Executive Officer Patrick Fry expressed his regrets for the breach and said steps have already been taken to make sure it never happens again.
The theft is being investigated by Sacramento police.