Consumer Federation of California

Sutter Health is being sued for negligence and other allegations in the mid-October theft of a computer from Sutter Medical Foundation headquarters that held information on more than 4 million of its patients.

The class-action suit, filed Monday on behalf of plaintiff Karen Pardieck of Folsom in Sacramento Superior Court, alleges that the Sacramento-based health network was negligent in safeguarding its computers and data and then did not notify the millions of patients whose data went missing within the time required by state law. The suit seeks $1,000 for each member of the class and attorneys’ fees.

The computer was stolen during a break-in through a smashed window the weekend of Oct. 15. Employees discovered the theft Oct. 17. Sutter patients were being notified last week.

"Sutter should’ve had that under lock and key, not protected by a pane of glass," attorney Robert Buccola of the Sacramento firm Dreyer Babich Buccola Wood LLP, which filed the suit, said Tuesday. "If there’s proprietary information in their files, they have a financial interest to make sure security is of the utmost importance."

Some 3.3 million patients whose providers are supported by Sutter Physician Services were affected.

Their names, addresses, email addresses, dates of birth, telephone numbers and names of patients’ health insurance plans dating from 1995 were contained in the computer’s database.

The computer contained the same information for 943,000 Sutter Medical Foundation patients. It also included data on foundation patients from January 2005 to January 2011, including descriptions of medical diagnoses or procedures used for business operations.

Sutter Health officials said the data breach is the largest ever at the health network.

The data were stored on a password-equipped but unencrypted desktop computer in the administrative offices of Sutter Medical Foundation in Natomas.

Sutter officials said they were in the process of encrypting patient data stored on its desktop computers, but had not yet protected the stolen computer. Data on its laptop and mobile devices were secure.

Reports of missing or stolen patient information are becoming a more common occurrence.

Over the last two years, health care organizations have reported 364 incidents involving the loss or theft of information ranging from names and addresses to Social Security numbers and medical diagnoses on nearly 18 million patients, according to the Associated Press.

On Tuesday, Sutter spokesman Bill Gleeson defended the time it took the health network to notify patients, saying a team had to first determine what was on the computer. Sutter also put a private investigator on the case.

"It took some time. We began a detailed, complicated process of notifying that number of patients," Gleeson said.

Gleeson also said Sutter "deeply regrets the theft," but would not comment on the lawsuit or on allegations that the health network had no system to back up the millions of pieces of data contained in the stolen computer.