Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
LOMA LINDA UNIVERSITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 28, 2014. Also cited in 44 other reports.
Report ID: 8Q5M11.01, California Department of Public Health
Reported Entity: LOMA LINDA UNIVERSITY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for one patient (Patient A), when medical records containing PHI of Patient A were inadvertently released to a copy service company. This placed Patient A at risk for identity theft and the unauthorized release of PHI.Findings:On July 28, 2014 at 10:20 AM, a phone interview was conducted with the Compliance Specialist (CS) to investigate an entity reported incident of a breach of PHI for Patient A. The CS stated that the breach had been detected on June 27, 2013, when two employees (Employee 1 and Employee 2) inadvertently released a copy of Patient A's medical records to a copy service company. The documents for Patient A contained PHI which included: Patient A's name, date of birth, medical record number, Social Security Number, address, phone number, driver 's license number, birthplace, and clinical notes. During further interview with the CS, the CS stated the copy service company to which the disclosure was made, notified the facility about the disclosure, and attested to destroying Patient A's medical records. The copy service company also stated that none of the PHI in Patient A's medical records was retained.During a review of the letter sent to the California Department of Public Health dated July 3, 2013, the facility indicated on June 27, 2013, the Health Information Management (HIM) department inadvertently released documents to a copy service company containing PHI of Patient A. The documents for Patient A contained PHI which included: Patient A's name, date of birth, medical record number, Social Security Number, address, phone number, driver's license number, birthplace, and clinical notes. Patient A was notified of the breach through a patient notification letter via mail.The agency's policy and procedure, titled "Operating Policy, Patient 's Rights, Protection of Patient Privacy," dated May 2013, indicated, "1.1 All medical center employees, members of the medical staff, house staff, volunteers, faculty, and students, shall be responsible for maintaining confidentiality of patient information. This responsibility shall include personal observations, oral conversations, the designated record set and its contents, and any other electronically stored or written patient or patient- related data."The facility's failure to safeguard the documents containing Patient A's PHI, placed Patient A at risk for identity theft and the unauthorized release of PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights