We are providing these FAQs in accordance with the substitute breach notification provisions of the Health Insurance Portability and Accountability Act (“HIPAA”).

For more information regarding the incident please see our FAQs below. If you have any further questions on this matter, please call 1-855-763-1159, Monday through Friday, 8:00 a.m. to 5:00 p.m. PST (closed on U.S. observed holidays).

• What happened?
• When did this incident happen?
• How did this incident happen?
• What information was involved in the incident?
• What has Sutter Buttes Imaging done in response to the incident and how is Sutter Buttes Imaging going to prevent this from happening again?
• Has my information been affected by the incident?
• Should I take any steps to protect myself?

We are providing these FAQs in accordance with the substitute breach notification provisions of the Health Insurance Portability and Accountability Act (“HIPAA”)

1. What happened?

In December 2020, Sutter Buttes Imaging Medical Group, Inc. (“SBI”) was informed that certain third party IT infrastructure utilized by SBI at the Sutter Buttes Imaging center (945 Shasta Street, Yuba City) may have been vulnerable to penetration.  After thorough investigation, SBI determined that, due to these third party IT infrastructure vulnerabilities, certain patient information may have been accessed by unauthorized parties.

2. When did this incident happen?

Based on a thorough investigation, we learned that the unauthorized patient information access occurred between July 2019 and December 2020.

3. How did this incident happen?  

This incident resulted from a security vulnerability in the specific IT infrastructure offered by a third party and utilized by SBI to store and transmit information generated in connection with medical services performed at its imaging center in Yuba City, California.

4. What information was involved in the incident?

The information specifically accessed in the incident was limited to the following: study date, patient name, date of birth, type of imaging procedure, and patient and study number (both internal numbers created by SBI).   The information did not include social security numbers, credit card numbers, insurance information, or any medical diagnoses, medical images, or medical reports or notes.

5. What has Sutter Buttes Imaging done in response to the incident and how is Sutter Buttes Imaging going to prevent this from happening again?

SBI takes privacy and security matters very seriously. We conducted a thorough investigation and took several critical steps to address the identified IT vulnerabilities and to prevent a similar incident from happening again. SBI closed certain firewall ports to prevent future access and also engaged third party IT consultants to perform a thorough analysis and bolster our security controls going forward.

6. Has my information been affected by the incident?

SBI has already attempted to notify impacted patients via mail in accordance with applicable legal requirements. However, because we cannot be sure that all impacted patients were notified, and because we care about the protection of your personal information and understand the concern that this situation may cause, we are posting these FAQs to make you aware of the incident. 

7. Should I take any steps to protect myself?

If your family member was an SBI patient and is now deceased, we do not anticipate any harmful effects resulting from this incident and do not believe you need to take any further steps.

If you received medical imaging services from Sutter Buttes Imaging center in Yuba City, California, some precautionary steps may include: (1) reviewing a free copy of your credit report, (2) reviewing your explanation of benefits statement, (3) placing a freeze on your credit report, and (4) placing a 90-day fraud alert on your credit file.  Each of these steps are described in further detail below.

Credit Report

You can visit www.annualcreditreport.com or call 877-322-8228 to obtain a free copy of your credit report.  Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize.  Verify all information is correct.  If you have questions or notice incorrect information, contact the credit reporting company.

Use Tools from Credit Providers

Carefully review your credit reports and bank, credit card, and other account statements. Be proactive and create alerts on credit cards and bank accounts to notify you of activity.   If you discover unauthorized or suspicious activity on your credit report or by any other means, file an identity theft report with your local police and contact a credit reporting company.  You may also contact your state’s Attorney General if you believe you have been the victim of identity theft.

Review your Explanation of Benefits statement

Regularly review the explanation of benefits statement(s) that you receive from your health care providers or health plan.  If you see any service that you believe you did not receive, you should contact your health care provider or health plan at the telephone number listed on the explanation of benefits statements.  If you do not receive regular explanation of benefits statements, contact your health care providers or health plan and ask that they send you a copy after each visit you make to your health care providers.

Security Freeze

Under state law, if you are the victim of identity theft, you may have the right to file a police report and obtain a copy of that report.  State law may also allow you to place a security freeze on their credit reports.  If you are concerned about becoming a victim of fraud or identity theft, a security freeze might be the most appropriate option.  Placing a freeze on your credit report will prevent lenders and others from accessing your credit report entirely, which will prevent them from extending credit. With a Security Freeze in place, you will be required to take special steps when you wish to apply for any type of credit.  This process is also completed through each of the credit reporting companies. 

To place a security freeze on your credit report, you must send a written request to each of the three major consumer reporting agencies by regular, certified or overnight mail at the addresses below:


Equifax Security Freeze

P.O. Box 105788

Atlanta, GA 30348

Experian Security Freeze

P.O. Box 9554

Allen, TX 75013

Trans Union Security Freeze

Fraud Victim Assistance Department

P.O. Box 6790

Fullerton, CA 92834


Fraud Alert

An initial 90-day fraud alert indicates to anyone requesting your credit file that you suspect you are a victim of fraud. When you or someone else attempts to open a credit account in your name, increase the credit limit on an existing account, or obtain a new card on an existing account, the lender should take steps to verify that you have authorized the request. If the creditor cannot verify this, the request should not be satisfied.  There is no cost to you to place a fraud alert.  You may contact one of the credit reporting companies below for assistance.

Equifax 1-800-525-6285 www.equifax.com

Experian 1-888-397-3742 www.experian.com

TransUnion 1-800-680-7289 www.transunion.com

Obtain more Information about identity theft and ways to protect yourself

The Federal Trade Commission has an identity theft hotline: 877-438-4338; TTY: 1-866-653-4261.  They also provide information on-line at www.ftc.gov/idtheft.