Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on November 19, 2013. Also cited in 41 other reports.
Report ID: Z8W511, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview, and record review, the facility failed to maintain confidentiality with the protected health information (PHI) for one patient (Patient A), when the itemized billing statement containing PHI was inadvertently mailed to the wrong insurance carrier. This resulted in a breach of Patient A's PHI.Findings:An unannounced visit was made to the facility on November 19, 2013 at 4:00 PM, to investigate an entity reported event of a possible breach of Patient A's PHI.During the review of an entity reported incident dated November 12, 2013, sent by the facility privacy officer (FPO), she documented that on August 22, 2013, while inputting Patient A's insurance information into the electronic system, Employee 1, had entered the required billing data, but had sent it to an entity with the same name as the intended recipient, however ending in "Plan," versus "Group." The facility received a letter on November 6, 2013, indicating that the claim had been denied for payment due to the recipient not being the correct payer group."During a review of the facility policy and procedure titled, "Investigation, Response, and Notification of Privacy Data Security Incidents," dated June 13, 2013, it provided an example of "Unsecured PHI" that might be involved in a breach to include,"..full name, Social security number, date of birth, home address, account number..."The itemized billing statement that had been sent to the wrong recipient had included:"revenue codes, service descriptions, charges, name of guarantor/patient, patient address, name of insurance company, insurance plan ID number, insured unique ID number, date of birth, dates of service, facility and physician's name."During an interview with the FPO on November 19, 2013 at 4:30 PM, she agreed that the data sent in error to the wrong insurance company was a breach of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights