Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 17, 2014. Also cited in 24 other reports.
Report ID: 34X511.01, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF THE MONTEREY PENINSULA
Issue:
Based on interview and record review, the hospital failed to protect the patient rights for confidential treatment of medical records for 100 of 100 sampled patients (1-100) when; 1). An outside business (Business 2) merged Patient 1 and one private individual's (Individual 1, not associated with the hospital as a patient or employee) credit report information disclosing Patient 1's personally identifiable information (PII) to Individual 1. 2.) A package which contained payment information for 99 patients arrived at the hospital opened and empty. These failures resulted in Patient 1's PII, and the payment information for 99 patients disclosed to unauthorized individuals. Findings:1. The California Department of Public Health received an online report on 6/19/14, which indicated Patient 1's name, address, and date of service had been disclosed to Individual 1 due to an error, when Business Entity 2 (Business 2) merged Patient 1's and Individual 1's credit information and sent it to the hospital's business associate (Business 1). When Individual 1 contacted Business 1, Business 1 disclosed Patient 1's PII to Individual 1. During an interview on 10/17/14 at 9:55 a.m., the privacy officer (PO) stated Individual 1 telephoned Business 1 which disclosed Patient 1's PII to Individual 1. PO stated Individual 1 came into the hospital's business office with a document containing Patient 1's information and stated it was not his information. During an interview on 10/17/14 at 11:15 a.m., a hospital's customer service representative (CSR) stated Individual 1 came to the business office with a document containing Patient 1's information and stated he had never been a patient of the hospital. CSR stated Individual 1 stated Business 1 had told him to go to the hospital and have the error (merging of information) corrected. CSR stated Individual 1 wanted the hospital to telephone Business 1 and notify them the PII they had in their records was not his.During an interview on 10/17/14 at 11:35 a.m., the supervisor of customer service (SCS) stated the hospital's business office only gave Business 1 PII for Patient 1 which then was sent to Business 2. SCS stated the hospital had no knowledge of Individual 1 until he came to the hospital with the document. SCS stated Business 1 informed him they had only given Patient 1's PII to Business 2. SCS stated he was not sure how the PII for Patient 1 and Individual 1 had been merged, unless Business 2 had merged them.A review of a copy of the document, with Patient 1's information, brought to the hospital on 6/12/14 by Individual 1 indicated Patient 1's name and address had been disclosed.A review of a copy of the hospital's undated "Patient Information Inappropriate or Unauthorized Disclosure" form completed by SCS indicated Patient 1's name, address, and date of service had been disclosed. A review of a copy of the hospital's 03/2012 "Confidentiality of Patient and hospital Business Information" indicated the hospital is entrusted with protecting confidential patient information, which includes patient-identifiable information. The information must be kept completely confidential.2. The California Department of Public Health received an online report on 5/16/14, which indicated a package shipped from the bank to the hospital had arrived open and the documents missing. The package arrived at the hospital's business office on 5/9/14. The envelope appeared to have been poorly sealed, and not intentionally opened. Routinely, the packages would contain patient payment information, i.e. credit card and check stubs. The package contained payment information for 99 patients disclosing patient names, check information including bank account and routing numbers, amounts due, also credit card information including credit card numbers, CVNs (card verification number, the three digit number on the back of most credit cards), expiration dates, and amounts due and enclosed. During an interview on 10/17/14 at 12 p.m., the privacy office (PO) stated when patients made a payment to the hospital, they were actually sending their payment directly to the bank. The bank processed the payment, and each week sent the supporting documents and a log of transactions to the hospital. PO stated a package sent from the bank had arrived empty. The packages had not been torn open, so the hospital assumed the envelope seals were substandard. PO stated the bank was able to provide the hospital a copy of the transaction details from the package. PO stated there were 99 missing documents disclosing patients' bank routing numbers, account numbers, credit card numbers, and the hospital name. A review of a copy of a letter sent on 5/19/14, from the hospital to the 99 patients whose documents were in the package, indicated the patient's payment had been received and processed by the bank, but the original payment stub, which had then been mailed to the hospital, had not been received. Further review of the letter did not indicate the documents were missing.A review of a copy of the "Transaction Detail" document, indicated the name of the bank, name of the hospital, account numbers, check numbers, and amounts due had been disclosed. A copy of the "Keyed Invoice Fields" document, for checks, indicated each patient's name, visit number, amount due, and the hospital name had been disclosed. A copy of the credit card settlement document indicated each patient's name, email address, card type, and amount had been disclosed; and a copy of the "Keyed Invoice Fields" document, for credit cards, indicated each patient's name, credit card number and CVN, amount due, and name of hospital had been disclosed.A review of a copy of the hospital's 03/2012 "Confidentiality of Patient and Hospital Business Information" indicated the hospital is entrusted with protecting confidential patient information, which includes financial information. The information must be kept completely confidential.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights