Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 31, 2013. Also cited in 108 other reports.
Report ID: WFY011.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review the hospital failed to notify the California Department of Public Health (CDPH), within the required five business days, that personal health information (PHI) for five patients had been incorrectly disclosed to persons who had no authority and no need to view the PHI.Findings:Patient 1 - CA00376326 - UCSF 2013-245 During an interview on 1/15/14 at approximately 9:30 AM, a Privacy Analyst (PA) stated that a progress note written by Physician A was mistakenly forwarded by Physician A to Physician B. Physician B was no longer involved in the care of Patient 1 and therefore was not authorized to receive Patient 1's medical information. The PA stated Physician B realized he had received this information by mistake so Physician B contacted the hospital on 10/30/13 to inform them of the mistake.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent progress note and the letter of notification from the hospital to Patient 1. The misdirected progress note contained Patient 1's name, date of birth, Medical Record number, date of service, and medical information regarding a surgical procedure, physical examination, assessment and plan of care. The letter to the patient was dated 11/6/13, six business days after discovery. Record review of the faxed report from the hospital to CDPH confirmed that the hospital was notified of this event by Physician B on 10/30/13. This report was faxed to CDPH on 11/8/13 at 10:56 AM, seven business days after the information breach was detected.The hospital was two days late in notifying CDPH of the breach of Patient 1's medical information.Patient 2 - CA00376330 - UCSF 2013-246During an interview on 1/15/14 at approximately 9:30 AM, a Privacy Analyst (PA) stated that a consultation summary note written by Physician C was mistakenly forwarded by Physician C to Physician D because the registration clerk had entered Physician D's name to Patient 2's chart as his Primary Care Physician. Physician D had a similar last name as Patient 2's Primary Care Physician but Physician D was never involved in the care of Patient 2 and therefore was not authorized to receive Patient 2's medical information. The PA stated Physician D realized he had received this information by mistake so Physician D contacted the hospital on 10/29/13 to inform them of the error.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent consultation summary and the letter of notification from the hospital to Patient 2. The misdirected progress note contained Patient 2's name, date of birth, Medical Record number, date of service, and medical information regarding a detailed history, medications, problem list, assessment and plan of care.Record review indicated Physician D received Patient 2's consultation summary on 10/28/13 at 3:12 PM and Physician D faxed the information back to Physician C on 10/28/13 at 5:09 PM with a note saying "Faxed to wrong Dr. L__." Record review of the faxed report from the hospital to CDPH confirmed that the hospital was notified of this event by Physician D on 10/29/13. This report was faxed to CDPH on 11/8/13 at 11:01 AM, eight business days after the information breach was detected. The hospital was three days late in notifying CDPH of the breach of Patient 2's medical information. Patient 3 - CA00376377 - UCSF 2013-248 During an interview on 1/15/14 at approximately 10:00 AM, a Privacy Analyst (PA) stated that a consultation summary written by Physician E was mistakenly forwarded by Physician E to Physician F because the registration clerk had entered Physician F's name to Patient 3's chart as her Primary Care Physician. Physician F had a similar last name as Patient 3's Primary Care Physician but Physician F was never involved in the care of Patient 3 and therefore was not authorized to receive Patient 3's medical information. The PA stated Physician F realized she had received this information by mistake so Physician F contacted the hospital on 10/29/13 to inform them of the mistake.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent consultation summary and the letter of notification from the hospital to Patient 3. The misdirected consultation summary contained Patient 3's name, date of birth, Medical Record number, date of service, and medical information regarding a physical examination, assessment and plan of care for her left knee problems. The letter to the patient was dated 11/7/13, seven business days after discovery. Record review of the faxed report from the hospital to CDPH confirmed that the hospital was notified of this event by Physician F on 10/31/13. This report was faxed to CDPH on 11/8/13 at 12:16 PM, six business days after the information breach was detected. The hospital was one day late in notifying CDPH of the breach of Patient 3's medical information. Patient 4 - CA00376382 - UCSF 2013-249 During an interview on 1/15/14 at approximately 10:00 AM, a Privacy Analyst (PA) stated that a discharge prescription for Patient 4 was given to another patient (Patient 4B) being discharged around the same time When Patient 4B got home, his brother read the prescription and noted that it was for Patient 4. The brother called the facility on 10/30/13 to report the mistake. The PA stated that the nurse was distracted while discharging the patient and had attached the prescription to the wrong discharge packet.The MAL reported that the prescription contained Patient 4's name, date of birth, medical record number, address, phone number, and some health information. Patient 4B and his brother were not authorized to see this protected health information. Record review indicated the hospital notified CDPH by fax on 11/8/13 at 12:26 PM. This was seven days after the information breach was detected.The hospital was two days late in notifying CDPH of the breach of Patient 4's protected health information.Patient 5 - CA00376629 - UCSF 2013-250During an interview on 1/15/14 at approximately 10:30 AM, a Privacy Analyst (PA) stated that a consultation summary written by Physician G was mistakenly forwarded by Physician G to Physician H because the registration clerk had entered Physician H's name to Patient 5's chart as his Primary Care Physician. Physician H was never involved in the care of Patient 5 and therefore was not authorized to receive Patient 5's medical information. The PA stated Physician H realized he had received this information by mistake so Physician G contacted the hospital on 11/1/13 to inform them of the error.The hospital's Manager of Accreditation and Licensing (MAL) provided copies of the mistakenly sent consultation summary and the letter of notification from the hospital to Patient 5. The misdirected consultation summary contained Patient 5's name, date of birth, Medical Record number, date of service, and medical information regarding a history, physical examination, assessment and plan of care for his lung biopsy. Record review of the faxed report from the hospital to CDPH confirmed that the hospital was notified of this event by Physician G on 11/1/13. This report was faxed to CDPH on 11/12/13 at 11:41 AM, nine business days after the information breach was detected. The hospital was four days late in notifying CDPH of the breach of Patient 5's medical information.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280