Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER SANTA ROSA REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 16, 2011. Also cited in 15 other reports.
Report ID: ORO511, California Department of Public Health
Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL
Issue:
Based on interview and record review, the hospital failed to prevent access to Patient 1's protected health information by unauthorized persons.Findings:An anonymous complaint received by the Department on 6/1/11 stated that on 5/12/11, a visitor in a conference room had moved a large monitor with a blank screen and that an image of Patient 1's chest x-ray had appeared on the screen. The complainant stated that he recorded Patient 1's name and medical record number and then turned off the monitor.In interview on 6/16/11 at 8:30 a.m., Administrative Staff D stated that the hospital's PACS monitor (Picture Archive Communication system) is a large mobile monitor where digital films can be accessed by means of a pass code. The monitor is used for teaching purposes. She stated that the monitor is locked in a closet, probably by housekeeping, when not it use. Administrative Staff D stated that the hospital had not been notified of the 5/12/11 incident. When made aware of the unauthorized access during the investigation on 6/16/11, the facility reported the incident to the Department on 6/20/11, within five business days of the date the hospital learned of the breach.In interview on 6/16/11 at 8:45 a.m., Administrative Staff E stated that it requires two layers of security to log into the PACS monitor, but the monitor would not log itself off after having been used. He stated that it was the responsibility of the person who reserved the monitor to lock it up or at least close the browser. He conjectured that on 5/12/11, the monitor was left with the screen saver still on, but the screen blank.On 6/16/11, observation of Patient 1's x-ray and report on the monitor demonstrated that the protected health information on 5/12/11 included name, date of birth, medical record number, diagnosis, attending physician's name, and a copy of the x-ray picture.On 6/20/11, review of the hospital's letter notifying Patient 1's parents about the breach demonstrated that it was sent on 6/17/11, within five business days of the date the hospital learned of the breach.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280