Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SAN FRANCISCO GENERAL HOSPITAL
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 19, 2013. Also cited in 27 other reports.
Report ID: LBF211.01, California Department of Public Health
Reported Entity: SAN FRANCISCO GENERAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent the unauthorized access when Patient 1's personal health information (PHI) was posted on a public Website. Findings:During an interview on 7/3/13 at 8:30 AM, the facility's Privacy Officer (PO) stated that, on 4/29/13, she (PO) was notified that Patient 1's personal health information had been posted on a public Website (BAPAC - Bay Area Perinatal AIDS Center). The PO stated Patient 1's name, sex, date of birth, medical record number, Human Immunodeficiency Virus (HIV) status, laboratory results, procedural notes, and medical prescriptions was posted on this Website. The PO provided a copy of the Website posting for Patient 1 which was titled "BAPAC Antepartum List" which has the date originally collected 1/10/13.The PO stated the data had been posted on 2/5/13 and was removed on 4/29/13. The PO said the Information Security Department was trying to identify all persons who may have accessed this data during the posted period. As of 7/2/13, the Website information had been accessed by 15 BAPAC physicians back to 3/31/13.The PO explained that facility A partnered with facility B in providing BAPAC services. Patient 1 was seen by facility A and the Website was managed by facility B. The PO stated that an investigation showed that a Nurse Practitioner (Staff 1) populated the form with Patient 1's information while the form was in a folder meant for templates only. When the Web Master asked for form templates to use on the Website, a secretary (Staff 2) sent the Web Master the folder of templates without checking them to ensure the forms were blank. The Web Master (Staff 3) then posted the forms without checking to ensure the forms were blank.The PO provided documentation that Staff 1 and 2 had received the facility A's orientation and training on Information Security and Privacy, and Staff 3 had received the same orientating and training from facility B.The facility policy and procedure "Use of (facility name) Records and Information Systems" dated 9/28/09, stated "Individuals with access to the records and information systems...have a legal and ethical responsibility to protect the confidentiality of personal, medical, financial, and protected health information..."The facility did not follow this policy and procedure when Staff 1 populated a form labeled as a template, Staff 2 transferred forms without checking their content, and Staff 3 posted forms on a Website without checking their content.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280