Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SANTA CLARA VALLEY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on September 10, 2014. Also cited in 90 other reports.
Report ID: 5CID11.01, California Department of Public Health
Reported Entity: SANTA CLARA VALLEY MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to prevent the unauthorized disclosure of patient health information (PHI) for 579 of 579 sampled patients (1- 579), when a laptop was stolen from a hospital affiliated clinic (SC). The failure resulted in the unauthorized disclosure of PHI for 579 patients to an unauthorized individual(s). Findings:The California Department of Public Health received a faxed report on 9/20/13, which indicated, on 9/16/13, SC staff discovered a laptop was stolen. The hospital could not confirm if the laptop had been encrypted (changing the information so it can only be read by a certain software program).During an interview on 9/10/14 at 10:45 a.m., the compliance officer (CO) stated, on the weekend of 9/14/13-9/15/13, SC had been broken into and a laptop, along with other pieces of equipment, had been stolen. The laptop contained newborn hearing screening exams, names, dates of birth, genders, ages, dates of service, and medical record numbers. CO stated local protective services (security) and the Sheriff's office were both called by SC staff.During an interview on 9/10/14 at 11 a.m., the quality improvement manager (QIM) stated the room where the laptop had been kept was not locked, but the building entrances were. QIM stated the laptop was not encrypted. She further stated the hospital was able to determine there were 579 patients affected since a hard copy of the records were kept in a locked file cabinet in a physician's (MD A) office. During a telephone interview on 9/10/14 at 11:20 a.m., MD A stated a laptop used for newborn hearing exams was stolen, and she could not recall the date of the theft. MD A stated the laptop was kept in a hearing test booth in a clinic room which should have been locked. MD A stated an SC staff member had noticed the laptop was missing a couple of days after the break in. Once the staff member noticed the laptop was missing, she notified MD A of the loss. MD A stated the laptop contained names, medical information, ages, medical record numbers, and dates of births.During an interview on 9/10/14 at 11:35 a.m., CO stated the laptop was discovered missing on 9/17/13.During an interview on 9/10/14 at 1:40 p.m., the privacy officer stated SC staff had located a hard copy of the names of the patients affected on 9/25/13. A review of a copy of a letter dated 9/27/13, from the hospital to the affected patients indicated a laptop, which was not encrypted, used for hearing screenings, was stolen. Patient names, medical record numbers, dates of birth, ages, genders, dates of service, and "brainwaves" from testing had been disclosed.A review of a copy of the hospital's 09/2010 "Mobile Devices" policy indicated appropriate controls shall be implemented on all mobile devises such that the confidentiality of data on the device is protected, appropriate measures shall be taken to ensure that mobile devices are protected against loss or theft.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280