Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
Adventist Medical Center
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on April 8, 2013. Also cited in 29 other reports.
Report ID: WFX311, California Department of Public Health
Reported Entity: ADVENTIST MEDICAL CENTER
Issue:
Based on staff interview, and administrative document review, the hospital failed to prevent unauthorized access of Protected Health Information (PHI) when Employee (E) 1 accessed Patient 1 and Patient 2's PHI without authorization. This failure resulted in the potential for misuse of PHI for Patient 1 and Patient 2.Findings:On 5/17/13 at 12:45 p.m., during a concurrent interview and administrative record review, the Risk Manager (RM) stated, "a patient had contacted the hospital and believed an employee had accessed the credit reports for her (Patient 1) and her boyfriend (Patient 2) without prior authorization." On 5/17/13 a review of a business office credit report was conducted for the time period of 1/2/12 to 12/31/12. The document revealed Patient 1's credit report had been requested on 2/16/12 at 3:22 p.m., and 3/30/12 at 11:33 a.m. by E 1. Patient 2's credit report had been requested on 2/16/12 at 3:26 p.m.; 3/30/12 at 11:30 a.m.; and 4/17/12 at 1:45 p.m. by E 1.On 11/1/13 at 12:55 p.m., during an interview the Risk Manager (RM) stated, "during an interview, the employee indicated she knew the individuals, and did not remember requesting the credit reports."On 12/10/13 at 11:40 a.m., during a telephone interview, Employee 1 stated, "my ex-husband won't admit it...he asked me to check his credit report...I only checked it twice."On 11/1/13 at 1 p.m., a review of the hospitals investigation report titled, "Privacy / Security Breach Report" was conducted. The report indicated Patient 1 had contacted the hospital on 1/30/13. Patient 1 reported that both she and her boyfriend (Patient 2) credit reports had been requested several times. Patient 1 believed Employee 1 (Patient 2's prior wife) had accessed the reports. Review of the Credit Report request log indicated Patient 1's credit report had been requested on 2/16/12 at 3:22 p.m., and 3/30/12 at 11:33 a.m.. Patient 2's credit report had been requested on: 2/16/12 at 3:26 p.m., 3/30/12 at 11:30 a.m., and 4/17/12 at 1:45 p.m. by Employee 1. The report further indicated that Employee 1 had submitted the request, which was "unauthorized and could not have been accidental."On 11/1/13 a review of an undated facility policy and procedure, No. 1000.08.09 titled, "Confidentiality of Protected Health Information (PHI)...It is the policy to maintain confidentiality for patients and employees at all times and under all circumstances. This commitment must be supported by working to see: That access to the medical record is restricted based the minimal amount of protected health information (PHI) necessary to accomplish the intended purpose of any use, disclosure or request; that access to the medical record can be managed through concurrent controls and retrospective auditing in order to safeguard the information that it contains; that PHI in all other forms, including oral, is maintained in confidence."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280