Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CORONA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 14, 2014. Also cited in 19 other reports.
Report ID: TN8Q11, California Department of Public Health
Reported Entity: CORONA REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patient's confidential information (Patient 1). Patient 1's confidential information was facsimiled to a private home facsimile on April 1, 2014, by an employee of the Radiology Department. This resulted in the unauthorized disclosure of Patient 1's protected health information (PHI).Findings:On April 14, 2014, at 1:13 p.m., an interview was conducted with the Privacy Officer (PO). She stated: a. On April 1, 2014, Patient 1's physician requested a copy of her radiology report, and an employee of the Radiology Department facsimiled the report.b. On April 1, 2014, the PO received a telephone call from the physician's office manager who stated they had received a telephone call from one of their patient's who stated she was in receipt of Patient 1's radiology report.c. The physician's office manager requested the unintended recipient of Patient 1's radiology report to facsimile the report to the physician's office, and the unintended recipient stated she would shred the radiology report once she facsimiled the report to the physician's office.d. The employee of the Radiology Department who facsimiled the radiology report to the unintended recipient had inputted the incorrect facsimile number which was one number off from the physician's office facsimile number.The unintended recipient received and had an opportunity to view Patient 1's PHI, which included name, date of birth, medical record number, account number, gender, age, and radiology report resultsPatient 1 was informed of the disclosure of her protected health information (PHI) via a letter dated and mailed on April 4, 2014, to her last known address.The California Department of Public Health (CDPH) was notified via a facsimile received on April 4, 2014, and a letter dated and mailed on April 4, 2014, of the unauthorized access of Patient 1's PHI.The facility policy and procedure titled "Hospital Fax Policy and Procedure" revised August 2013, revealed "... After keying-in the fax number in the fax machine, and before sending the fax, the sender should validate the fax number on the screen against the hand written one for accuracy. ..."The facility policy and procedure titled "PHI Privacy Breach Notification and Unauthorized Access" reviewed October 7, 2013, revealed "... (name of facility) must report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information to CDPH and to the patient no later than five business days after the unlawful or unauthorized access; use or disclosure has been detected by the facility. ... Reports to patients should be made to the affected patient or to the patient's representative ... at his/her last known address. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280