If the user is in db_datareader, this explains why the user sees the column. Adding a user to db_datareader means that you grant that user right SELECT permission on any table in the database. And all columns on all tables.
If you want to keep the user in db_datareader, you will need to use DENY as suggested by David.
But you may also having second thoughts of adding users to db_datareader. You can also grant SELECT permissions on schema level, and stick sensitive information in separate schemas. Obviously, this would require to put the column in this case in a separate table. Or move the entire table to a separate schema, and add a view to the dbo schema that only exposes the public columns.
I like to point out that the ideas I float in the previous section are not necessarily your best choices. I am just presenting some alternatives. It could be that DENY is the best for you, but I have given you a caution.