Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST BERNARDINE MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 30, 2013. Also cited in 41 other reports.
Report ID: 0NXD11.01, California Department of Public Health
Reported Entity: ST BERNARDINE MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for three patients (Patient A, Patient B, and Patient C), when their PHI was inadvertently auto-faxed to a medical group Medical Group 1, unfamiliar with these patients). This breach of Patient A, Patient B, and Patient C's PHI placed the patients at risk for identity theft. FINDINGS:On February 26, 2013, at 10:00 AM, while at the facility, an interview was conducted with the facility privacy officer (FPO) to investigate an entity reported incident of possible PHI breach of Patient A, Patient B, and Patient C.On July 31, 2012, a review was conducted of the entity reported incident. The Facility investigation was also reviewed which revealed that on October 24, 2012, the facility was notified by Medical Group 1, that three separate patient's (Patient A, Patient B, and Patient C) PHI was faxed to a them, and they were unfamiliar with these patients. The facility's investigation further documented that Clinician 1 had inputted fax numbers into the faxing profile of the transcribed report repository for auto-faxing reports. Reports for Patients A, B, and C, were erroneously directed to Medical Group 1, when in fact they did not belong to that medical group. Patient A, B, and C's PHI which was faxed to the unauthorized, unintended medical group included the following: Consultation reports for Patient's A, B, and C. PHI included: Patient A, Patient B, and Patient C's name, date of birth, age, sex marital status, social history, consulting physician name, primary physician name, diagnoses, past medical history, current medical condition, medications, treatment, treatment plan, lab tests ordered and lab results, medications, allergies, facility name, date of admission, reason for admission, recommended treatment, medical record number, and the encounter number. On August 14, 2013, at 12:20 PM, a phone interview was conducted with the FPO, who confirmed the incident. She stated that when this particular medical group (Medical Group 1) was overcrowded, they have a contract with the facility to admit their patients to the facility. Clinician 1, a facility nurse practitioner, followed the patient overflow cases, so she set up auto-faxing for all her reports to go to Medical Group 1. Patient's A, B, and C, had been seen by Clinician 1, but did not belong to Medical Group 1, however due to the auto-faxing their information was sent in error. The Facility failed to protect patient rights regarding maintaining the privacy and confidentiality of Patient PHI, which resulted in Patient A, Patient B, and Patient C's being placed at risk of identity theft, when a fax containing Patient A, Patient B, and Patient C's PHI was faxed to a medical group without authorization.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights