4500 Patient Records Found During Drug Bust

In the healthcare world, it seems that HIPAA privacy violations & HIPAA Lawsuits are the car accidents that people can’t resist checking out. In most cases, people in healthcare are mostly interested to see what happened with the HIPAA violation and what the consequences were for that violation. In fact, these violations wake people up to the HIPAA policies better than any other means, but I digress.

Since this blog is called EMR and HIPAA, I try and cover various HIPAA related issues I hear about in the news. Today’s HIPAA breach is pretty crazy. It was discovered during a drug bust by the Alameda County Sheriff’s department. During the drug related investigation they found information for 4,500 patients from three hospitals: Alta Bates Summit, Sutter Delta, and Eden Medical Center.

Sutter Health posted a notice about the breach. The notice says that the information could have included: a patient’s name, Social Security number, date of birth, gender, address, zip code, home phone number, marital status, name of employer and work phone number. Sutter has offered free credit monitoring services for those patients who are involved. Plus, they have a hotline set up for those who have questions.

This situation is a bit unique since it seems they haven’t been able to identify exactly which hospital the patients are from. If that’s the case, then releasing all of the patient data to all 3 hospitals could be a breach as well, no? I’m good with making sure you notify everyone on the list that could be affected. They should be notified, but I’d be interested to know which parts of the 4,500 patients was shared with which hospital.

I wonder if large organizations like Sutter Health are creating a permanent department for breaches.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • I think this post brings up a fundamental flaw regarding our current thinking about HIPAA privacy violations and the internet. As this post illustrates, the vast majority of violations occur when there are “crazy” breaches, such as a CIO leaving backup disks in an open car or computers discarded without scrubbing data clean. Also illustrated is that personal ID information such as social security numbers are much more likely to be valuable to hackers than our personal health information, such as medications or doctor appointments. So when internet based personal health records are condemned for lacking military grade security, we should all keep in mind: 1. who cares? 2. if data is intercepted, so what? 3. the “P” in HIPAA stands for portability 4. according to the President and NSC, overall usefulness can justify some loss of our privacy.

  • Hi Dr. Fox,
    I’ve been preaching a similar message for a long time. We have to be careful in saying we should be reckless with patient data, but there definitely needs to be a greater understanding of what’s really at risk.

  • What a completely appropriate place to find PHI but during a drug bust…how better to fund drug purchases than by selling personal data on the black market.

    To be clear, the vast majority of breaches occur not from CIOs necessarily, but from portable devices (generally laptops) that are NOT encrypted and then lost or stolen, generally by “worker-bees”.

    Encrypting the information is quite simple, so the fact that an organization does not encrypt a device that has PHI on it is pure ignorance or laziness.

    Data security just isn’t that difficult.

    I’m generally amused when, within a breach notification, there is clarification that SSNs were not part of the mix.

    Plenty can be done by ID thieves without a SSN.

    Not to mention, there are those who actually do take offense when private issues, like their medical status becomes public.

    To your questions:
    1) It depends, but for the most part the number of patients that truly care about their data is small. I believe this is why efforts by MS & Google to create repositories for medical records failed.
    2) Well, it annoys me when people can’t do the basic things that are expected of them, like keeping my info private…or getting my order correct at the drive thru.
    3) Portability just isn’t that difficult. It would be even easier if the world of EHR data had actually been planned out.
    4) Sure overall usefulness might require some loss of privacy, but individuals should be making that decision, nobody else.

    What’s really at risk? I think our overall privacy in general.
    “We” give up way too much for stupid things like free email accounts.

    I strongly believe that data harvesting and ID theft from data obtained in the medical world, whether it be hospitals or private practices, is going to be a huge issue.

    Most private practices don’t have the basics of HIPAA compliance in place, what makes us think they have any grasp on network security?

Click here to post a comment