Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 5, 2014. Also cited in 108 other reports.
Report ID: II8T11.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the Hospital failed to ensure the confidentiality of patients' records when they continued to use unencrypted desktop computers (encryption is "the process of encoding messages or information in such a way that only authorized parties can read it." Wikipedia) at an off-campus clinic site and eight of the desktop computers were stolen. This had the potential for 9968 patients to have their protected health and/or personal information misused. Findings:On 1/27/14 at 3:38 PM, the hospital sent a faxed notification to CDPH informing the Department that eight unencrypted desktop computers were stolen from an off-campus clinic. In a press release on 3/12/14, the hospital indicated the unencrypted desktop computers contained protected health information for 9,986 patients. In a group interview on 3/5/14 at approximately 8:15 AM, the Privacy Coordinator (PC) and the Privacy Analyst (PA) stated that over the weekend of 1/11/14-1/12/14, eight desktop computers and two flash drives were stolen from an off-campus clinic. Staff at the clinic noticed the theft when they opened the clinic on the morning of 1/13/14. The PC and PA stated that data analysis was still in process but it appeared that only two of the desktops contained protected health information. The PC agreed that encryption would have been the simple way to protect the patients' health information and she did not know why the desktop computers had not been encrypted.In a follow-up fax to CDPH, dated 3/11/14, the Hospital's Manager of Accreditation and Licensing confirmed that two of the stolen desktop computers contained the names, dates of birth, medical record numbers, and some health information of 9861 patients. Some of these records also contained addresses and social security numbers. The Manager stated that since patient identification had been completed, notification letters were being sent to all of the involved patients starting 3/12/14.Record review of of the policy and procedure "Safeguarding the Privacy and Confidentiality of (Hospital Name) Information and Data" dated 12/13, indicated that "access to data must be performed from devices that meet the (Hospital Name) Minimum Security Standards (i.e. are encrypted)." In a follow-up interview on 4/15/14, the Hospital's Chief Information Officer (CIO) stated that prior to the theft at this off-campus clinic, the industry had considered desktop computers as a low risk for theft and information breaches. Since the risk was low they were not encrypted. The CIO said that after this theft the Hospital had decided to encrypt desktop computers at all locations on and off campus.The Hospital had the ability to encrypt the patient data on the desktop computers prior to the theft of these devices and they failed to perform this step in data security.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280