Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 8, 2014. Also cited in 108 other reports.
Report ID: 00HO11.02, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review the facility failed to prevent unauthorized access to the patients' medical information.Findings:1. For Complaint CA393188:During an interview on 5/22/14 at 8:35 AM, the Privacy Analyst stated the patient's pathology report was inadvertently mailed to wrong provider. Privacy Analyst stated the mistake was when the staff at Pathology Department chose the wrong recipient of the pathology report. Both providers had the same first and last name but different middle name.Review of the pathology report dated 3/19/14 indicated patient's name, medical record number, date of birth, age and medical information of the patient. Review of the facility's letter to the Department dated 4/1/14 indicated the facility was made aware of the breach of information on 3/28/14 and notified the patient on 4/1/14.2. For Complaint CA391134:During an interview on 5/22/14 at 9:00 AM, the Privacy Compliance Analyst stated the Discharge Summary was inadvertently mailed to wrong provider. Privacy Compliance Analyst stated the mistake was made when the staff put the Discharge Summary in an envelope and healthcare provider was not checked if it was the correct recipient. Review of the Discharge Summary dated 2/26/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Review of the facility's letter to the Department dated 3/13/14 indicated the facility was made aware of the breach of information on 3/7/14 and notified the patient on 3/11/14.3. For Complaint CA392341: During an interview on 5/22/14 at 9:20 AM, the Privacy Compliance Analyst stated the Discharge Summary and Notification letter were inadvertently faxed to wrong laboratory. Privacy Compliance Analyst stated the mistake was made when the staff chose the wrong provider number on the computer.Review of the faxed Discharge Summary and Notification letter dated 3/19/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Review of the facility's letter to the Department dated 3/24/14 indicated the facility was made aware of the breach of information on 3/19/14 and notified the patient on 3/21/14.4. For Complaint CA393582: During an interview on 5/22/14 at 9:40 AM, the Privacy Analyst stated the Discharge Summary was inadvertently faxed to wrong healthcare provider. Privacy Analyst stated the mistake was made when the staff chose the outdated healthcare provider address and fax number on the computer, and the healthcare provider have moved to another medical center.Review of the faxed Discharge Summary dated 3/29/14 indicated patient's name, medical record number, date of birth and medical information of the patient. Review of the facility's letter to the Department dated 4/3/14 indicated the facility was made aware of the breach of information on 3/29/14 and notified the patient on 4/1/14.5. For Complaint CA393757:During an interview on 5/22/14 at 10:00 AM, the Privacy Analyst stated the patient's Discharge Summary was inadvertently faxed to wrong provider. Privacy Analyst stated the mistake was made when the staff at Hematology Department chose the wrong recipient of the Discharge Summary. Both providers had the same last name but different firt name.Review of the Discharge Summary dated 3/31/14 indicated patient's name, medical record number, date of birth, age and medical information of the patient. Review of the facility's letter to the Department dated 4/4/14 indicated the facility was made aware of the breach of information on 4/2/14 and notified the patient on 4/3/14.6. For Complaint CA392324:During an interview on 5/22/14 at 10:30 AM, the Privacy Compliance Analyst stated the patient's Discharge Summary was inadvertently faxed to wrong provider. Privacy Compliance Analyst stated the mistake was made when the staff chose the wrong recipient of the Discharge Summary. Both providers had the same first name but different last name which sounded alike.Review of the Discharge Summary dated 3/17/14 indicated patient's name, medical record number, date of birth, age and medical information of the patient. Review of the facility's letter to the Department dated 3/21/14 indicated the facility was made aware of the breach of information on 3/19/14 and notified the patient on 3/20/14.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights