Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SALINAS VALLEY MEMORIAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 29, 2014. Also cited in 14 other reports.
Report ID: R9PO11.01, California Department of Public Health
Reported Entity: SALINAS VALLEY MEMORIAL HOSPITAL
Issue:
Based on interview and record review, the hospital failed to protect patient right for confidential treatment for three of three sampled patients (1, 2, and 3), when their names and dates of birth were sent to an unauthorized physician's office. The failure resulted in disclosure of personal information for three patients to an unauthorized entity. Findings:The California Department of Public Health received a faxed report on 3/20/13, which indicated the hospital received a call from a physician's office (PO A) stating they had received some lab results for hospital patients who were not in their database. The hospital determined the four messages had been received via the lab results interface, and all four messages belonged to another physician's practice. The four lab result messages belonged to three hospital patients, and were deleted from the incorrect database. During an interview on 8/29/14 at 10 a.m., the compliance officer (CO) stated the director of physical integration (DPI), who provided support for an electronic system for 25 separate physician's offices outside the hospital, was made aware physician's office A (PO A) was not receiving laboratory results from the offsite laboratory. During an interview on 8/29/14 at 10:30 a.m., DPI stated the hospital hosts an electronic system (eMD, used for charting and has limited interface, i.e. laboratory) for 25 separate physician offices, with training, implementation, and support, and the hospital manages the laboratory interfaces. The laboratory interface connects the offsite laboratory to the eMD database for the physician offices. DPI stated PO A was not receiving laboratory results. The system administrator (SA), while trying to correct the problem, inadvertently entered the username and password for PO B, instead of PO A, into PO A's laboratory interface. Using PO B's information resulted in four laboratory results for PO B's Patient 1, Patient 2, and Patient 3, to be sent to PO A. DPI stated PO A's staff could not open the laboratory results, so they did not know to which PO the laboratory results were supposed to go. DPI stated PO A's staff could see names and dates of birth for Patient 1, Patient 2, and Patient 3, but they could not see the laboratory results. DPI stated he was able to look on the "back end" of the incorrectly sent laboratory results, and noted they were supposed to have been sent to PO B.During an interview on 8/29/14 at 11:15 a.m., SA stated PO A was not receiving laboratory messages, so he had been trying to fix the problem. SA stated while trying to fix the problem, he inadvertently entered PO B's password which caused four messages that belonged to PO B, to be sent to PO A. SA stated after the hospital was notified of the incorrect messages being sent to PO A, the messages were deleted. SA further stated he did not know what were the contents of the messages, since he did not look at the bodies of the messages.A review of a copy of the letters sent on 3/19/13, from the hospital to Patient 1, Patient 2, and Patient 3 indicated the hospital's privacy officer was notified results of laboratory tests were accidentally sent to PO A.A review of a copy of the hospital's 10/18/11 "Data Confidentiality" policy indicated confidential or sensitive data should not be disclosed to any persons or entities. Information systems security controls and policies should remain intact when accessing all organizational data and information systems. Confidential information systems output is delivered to the person(s) designated to receive it, or are made available only to the person(s) designated to receive it. All parties subject to this policy should ensure that all confidential data under their immediate supervision or responsibility is properly secured.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights