This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.

RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

26520 CACTUS AVENUE MORENO VALLEY,CA 92555

Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 29, 2014. Also cited in 123 other reports.


Report ID: I2CT11.03, California Department of Public Health

Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER

Issue:

Based on interview and record review, the facility failed to ensure 463 patients (Patients 1 through 463), were notified of an unauthorized disclosure of their protected health information (PHI), no later than five (5) business days after the disclosure was detected by the facility. The incident was detected by the facility on September 25, 2014, and the patients were notified 66 days later and 59 days after the mandated notification reporting timeframe.Findings:On October 29, 2014, at 7:45 a.m., an interview was conducted with the Assistant Administrator (AA) and the Hospital Administrative Surveyor (HAS). They stated: a. On September 25, 2014, the Rehabilitative Services Department Manager (RSDM) discovered one of the laptop computers used to access the patients' medical records, and to document the patients' treatments, was missing.b. On September 26, 2014, the HAS was notified of the missing portable laptop computer belonging to the RSD.c. On October 23, 2014, the County Information Security Officer (CISO) was notified of the missing RSD laptop computer.d. On October 23, 2014, the other two laptop computers in the RSD, which were used for the same function/similar service as the missing laptop computer, were analyzed. It was determined that "temporary files" were found on the computers which were the patients' physical therapy records and "face sheets," and the files were not encrypted (process of encoding messages or information in such a way that only authorized parties can read).On December 2, 2014, at 1:30 p.m., a subsequent interview was conducted with the HAS. She stated:a. The records for 463 patients were on the RSD missing laptop computer.b. The social security number, for 399 of the patients, was part of the information contained on the laptop computer. c. There were six minor children involved and the notification letters were sent to their parents/guardians.The individual who took the laptop computer received and had an opportunity to view Patients 1 through 463's PHI, which included name; date of birth; address; telephone number; medical record number; gender; date of service(s); treating physician; diagnosis; treatment received; health insurance information; and for 399 of the 463 patients, their social security number(s).Patients 1 through 463 were informed of the disclosure of their protected health information (PHI) via letters dated and mailed on December 1, 2014 (66 days after the unlawful or unauthorized access had been detected facility, and 59 days after the 5 business days the facility had in order to notify the patients in writing), to their last known addresses. The California Department of Public Health (CDPH) was notified via a telephone call on October 28, 2014, of the unauthorized access of Patients 1 through 463's PHI (32 days after the discovery by the facility, and 25 days after the 5 business days the facility had in order to report the breach in PHI to CDPH).The facility policy and procedure titled "Breach of Patient Privacy" reviewed July 8, 2014, revealed "... Report to the Appropriate Regulatory Agency(ies) ... Reports must be made to: The patient, no later than five (5) business days after the unlawful or unauthorized access, use, or disclosure had been detected by (Name of facility). ..."

Outcome:

Deficiency cited by the California Department of Public Health: Medical Breach

Related Reports:

Do you believe your privacy has been violated? Here’s what you can do: