Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ORANGE COUNTY GLOBAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 7, 2012. Also cited in 17 other reports.
Report ID: XUSH11, California Department of Public Health
Reported Entity: WESTERN MEDICAL CENTER SANTA ANA
Issue:
Based on interview and hospital document review, the hospital failed to prevent the disclosure of 10 patients' (Patients A, C, F, G, I, J, Q, K, L, and P) protected health information (PHI) to unauthorized individuals. Findings:1. On 9/6/12, the CBO (Central Billing Office) for the hospital was notified by a caller who received a follow up collections letter for a Patient A. The caller stated although he had the same first and last name, he had not been a patient at either Western Medical Center Santa Ana or Western Medical Center Anaheim hospitals on the dates indicated on the letter. The caller was disputing the bill.On 9/7/12, the caller contacted the CBO's Collections Department to dispute the charges he received for a Patient A. The caller provided evidence which showed a different middle name. The hospital's investigation showed Patient A was linked/matched to an address via internal skip-tracing process following unsuccessful attempts to deliver the bill to the address provided at registration.Patient A's PHI disclosed to the wrong party included name, service dates, and patient account number.2. On 9/4/12, the CBO received return mail from a payor stating the claims information sent to them did not match any of their patients. Review of the hospital's investigation showed the request for payment and related documents belonging to Patient C were sent to the wrong payor in error.Patient C's PHI disclosed included name, date of birth, address, social security number, service dates, diagnosis, procedure codes and insurance information.3. On 8/10/12, the CBO was notified a breach of PHI belonging to Patient F occurred on 8/2/12.Review of the CBO's investigation showed staff sent a UB (Universal Billing) claim electronically through their system to intentionally check eligibility. The system accepted the claim. However, the UB claim belonging to Patient F was sent to the wrong insurance company.Patient F's PHI disclosed included name, date of birth, zip code, medical record number, account number, health plan number, and a description of charges, billing codes and service dates.4. On 6/7/12, the CBO was notified by the recipient of a collections related letter that the caller (recipient) had never been a patient of the hospital; therefore the bill for services rendered for a Patient G did not belong to him.Review of the hospital's investigation showed at the time of Patient G's admission to the hospital, the patient was unresponsive. The CBO staff relied on the ambulance and police department personnel for Patient G's demographic information. The information gathered was electronically verified and formed the basis for billing and collections. However, the recipient and Patient G had the same first and last names but different dates of birth.Patient G's PHI disclosed included name, account number, service dates and total charges.5. On 7/3/12, the CBO was notified by a recipient of a collections-related letter for a Patient I, that the recipient had never been a patient at the hospital.Review of the hospital's investigation showed the first claim sent came back with "attempted - not known, unable to forward" message. A CBO representative did a skip-search using 411 for Patient I and found a match of the patient's name and phone number. The representative updated the patient's account and mailed another collections letter. A routine collection follow up call showed the representative reached the wrong person. The person stated he had never been a patient at the hospital. Patient I's PHI disclosed included name, account number, service dates and total charges.6. On 6/26/12, the CBO was notified a breach of Patient J's PHI was disclosed on 6/6/12. An authorization letter belonging to Patient J was attached, by error, to another patient's claim appeal faxed to a health insurance company. Patient J's PHI disclosed included name, date of birth, physician's name and phone number, authorization dates, status and number, account number, diagnosis code, procedure code and insurance name, member identification and clinical notes.7. Review of the hospital's documentation showed on 8/3/12, while performing a routine review of facts related to a denial of payment, the hospital's CBO found an unauthorized disclosure of Patient Q's PHI occurred on 4/10/12.On 8/3/12, the CBO became aware contents of package intended for delivery to a physician's group was accidentally mailed to an unintended physician's group.Patient Q's PHI disclosed included name, phone number, date of birth, zip code, medical record number, account number, health plan number, and physician's name and phone number, authorization dates, status, diagnosis code and procedure name, insurance name, member identification number, clinical notes, medications, lab results, account charges, dates of service and billing codes.8. On 5/22/12, the CBO was notified of the UB form belonging to Patient K was inadvertently sent to the wrong insurance carrier. In an attempt to collect payment for services rendered, the CBO relied on the response provided by Medi-cal Eligibility Response System which listed the particular insurance carrier as the primary payor on Patient K's account. Patient K's PHI disclosed included name, address, insurance information, account number, medical record number and service dates.9. Review of the hospital's investigation, dated 8/27/12, showed a credit report was put into the system with the social security number provided by Patient L upon admission. The credit report showed a different address than given upon admission. The bill to collect payment for services rendered was sent to the patient using the address on the credit report.On 8/24/12, a caller contacted the hospital to inform the receipt of a bill for Patient L that did not belong to caller. The caller added she had never been a patient at the hospital.Patient L's PHI disclosed included name and account number.10. On 1/6/12, the CBO was notified the PHI of Patient P was disclosed to an unauthorized person. Review of the investigation showed in an attempt to collect outstanding balances and consistent with the collection policies, the hospital's third party collector sent collection notices and abstracts from the signed Conditions of Services Form to an individual who shared the same first and last name of Patient P; however this person was never a patient at the hospital. The middle initial and the address of Patient P were different from the individual who received the collection notice.Patient P's PHI disclosed included signed consent forms for procedures, a face sheet listing name, address, emergency contact name and phone number, insurance information and diagnosis. A hospital claim form listing Patient P's account number, medical record number, and hospital services was also included in the information disclosed to the wrong person unintentionally.On 2/1/13, communication with the CBO's HIPPA (Health Information Privacy Protection Act) Officer confirmed the breaches of PHI occurred as documented.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280