Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 30, 2014. Also cited in 55 other reports.
Report ID: TYJE11.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of Patient A's protected health information (PHI) when a patient care representative (PCR) inadvertently included an outside vendor, a printing services company, on an E- mail (electronic mail) containing PHI. This failure resulted in a breach and the unauthorized release of Patient A's PHI.Findings:On September 30, 2014 at 3:05 PM, a phone interview was conducted with the Manager of Accreditation and Risk Management (MARM) regarding an entity reported incident of a breach on September 22, 2014. A PCR accidentally E- mailed Patient A's PHI to an employee of a printing service when the PSR was sending the E- mail copies of Patient's A acknowledgement letter, and resolution letter to the manager/directors of the departments of the hospital. The E- mail Outlook prepopulated the recipient field with the employee from the printing service. The PSR did not detect the error and sent the E- mail.During a review of the documentation that had been accessed for Patient A, the documentation included an acknowledgement letter which contained Patient A's name, address and date of service. The resolution letter contained the patient's name, address, date of service, and notes on Patient's A concerns. A review of the facility policy and procedure titled, "Confidentiality policy," not dated, indicated under section "A," "Employee are required to follow all policies and procedures...regarding use and disclosure of business and patient information...in order to ensure that business and patient information is safeguarded at all times."The failure of PCR to verify all the E- mailed documents to the intended recipient resulted in the unauthorized release of Patient A's PHI to an employee of a printing service.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights