Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 18, 2014. Also cited in 46 other reports.
Report ID: R4OB11.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on interview and record review, an admitting department employee (Employee 1), did not follow facility policy and procedures, when Employee 1 inadvertently emailed a list containing the names and other Protected Health Information (PHI), for fifteen (15) Emergency Department (ED) patients (A,B,C,D,E,F,G,H,I,J,K,L,M,N,O) to an email recipient (Recipient B) outside the facility. This resulted in a breach of PHI for fifteen (15) patients. Findings:On July 31, 2014 at 8:40 AM, during a telephone interview with the Facility Privacy Officer (FPO), she stated, "Employee 1 was responsible to make a list of ED patients, who did not have medical insurance or had a non profit, public health plan and email that list to Recipient A who tracked the number of patients Employee 1 saw daily. I have it logged that on January 2, 2013, Employee 1 inadvertently chose the wrong email recipient and emailed the list containing patient information to a non facility individual, (Recipient B). Employee 1 notified her supervisor on January 4, 2013 of the incident."When asked if the facility had retrieved the list of confidential patient names and their PHI, the FPO stated, " Employee 1 told Recipient 2 not to open the email and an attempt made by the FPO to recall a test email sent to an outside email address at that time was unsuccessful." The FPO was unable to verify that the list containing the names and PHI for fifteen (15) patients was retrieved or accounted for.On July 31, 2014 at 9:25 AM, during a telephone interview with the Admitting Manager, when asked what Employee 1's job function was at the time of the occurrence, she stated, "Employee was responsible for interviewing patients seen in the ED who had no insurance or had a non-profit public health plan and talk with them about resources available to them for services outside the ED. She would complete a log of the patients she spoke with daily and send it to various recipients, including Recipient B in division support."When asked how she became aware of the incident, the Admitting Manager stated, "Employee 1 had a telephone conversation with Recipient 2 either on January 3 or 4 , 2013. During their phone conversation, Employee 1 realized that she had emailed the list of fifteen (15) patients and their PHI to Recipient 2 in error. She reported the incident to me on January 4, 2014, felt bad about it and stated that she (Employee 1), had attempted to recall the email with the attached list and thought that she was successful in doing so."The confidential list emailed by Employee 1 to Recipient B, included the following PHI for fifteen (15) patients:a. Patient Namesb. Health plan account numbersc. Date of Birthd. Account numberse. Chief complaintf. Physicians nameg. Referral information givenA review of the facility policy and procedure titled, "Email Policy", dated January 17, 2012, it indicated:"A. When sending email to recipients with email boxes located inside the (facility name) network or when sending email messages to other recipients in the Global Address List (GAL):1. Use reasonable care in typing and selecting the names of recipients and selection of any distribution lists."2. Ensure that distribution list (s) contains only recipients internal to (facility name).""E. User Responsibilities:"1. All messages containing PHI or Personal Information are classified as sensitive and must be safeguarded in accordance with facility policy on Safeguarding PHI and Sensitive Information."The failure of Employee 1 to use reasonable care in selecting the correct email recipients, resulted in the breach of PHI for fifteen (15) patients.
Outcome:
Deficiency cited by the California Department of Public Health: Nursing Service Policies and Procedures.