Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 21, 2014. Also cited in 108 other reports.
Report ID: 27M311.01, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to ensure confidentiality of Patient 2's and Patient 3 electronic medical records (EMR), when an employee (Temp 1) accessed these two records without authorization, and subsequently may have made harassing phone calls to Patient 2 using information from Patient 2's EMR, and may have tried to initiate a new credit card using information from Patient 3's EMR. Further investigation indicated Temp 1 accessed sixty-eight other patients' EMRs without business justification or authorization. This breach caused Patient 2 to have concerns for her safety, and it had the potential for embarrassment to the patients whose medical information was breached and for identity theft at a future date.Findings:During an interview on 8/21/14 at approximately 11:00 AM, the hospital's Privacy Analyst (PA 2) stated the hospital had received a complaint letter from Patient 2 on behalf of Patient 2 and her daughter, Patient 3, stating she (Patient 2) had been receiving harassing phone calls. Patient 2's 'caller ID' feature indicated the calls were coming from the hospital and Patient 2 suspected that the caller got her phone number from her EMR.PA 2 stated that an audit of Patients 2 and 3's EMRs showed that between 4/30/14 and 7/27/14, Temp 1, who was employed as a Scheduler/Biller in the GI (Gastrointestinal) Clinic, accessed Patient 2's EMR two times and Patient 3's EMR eight times without authorization or business justification.PA 2 stated that when Patient 2 learned the name of Temp 1, Patient 2 stated there had been a long history of disagreements between them.PA 2 continued that the Police Department was involved and they reported that on 7/15/14 an attempt was made to initiate a new credit card using Patient 3's information.After receiving this information from the Police, the hospital expanded its search of Temp 1's computer activity and discovered that Temp 1 had accessed an additional sixty-eight patients' EMRs without business justification or authorization This information was also provided to the Police Department for follow up.Record review of letters from the hospital to CDPH, dated 9/3/14, indicated Temp 1 no longer worked at the hospital and no longer worked for the Business Associate who provided her as a temporary worker. Temp 1 left her employment at the hospital before her intentional medical information breaches were discovered. There was no interview conducted with Temp 1 by hospital personnel or by Business Associate personnel.The hospital provided a copy of the audit performed by the Informational Technology staff. In a letter dated 2/20/15, the Manager of Accreditation and Licensing wrote that the Privacy Department set the parameters of the audit which included Temp 1's name and employee ID, patient name, any and all access, medical record number, and systems: APEX access with start date of 4/29/13 to "present" ( approximately 6/9/14). The letter went on to say that PA 2, in concert with the Department Manager, reviewed the audit results and redacted the patient information for those patients for whom Temp 1 had a legitimate business reason for access. The letter also stated that the column headed "Module" indicated the section of the electronic medical record that Temp 1 accessed. Review of the "Modules" column indicated Temp 1 accessed areas of the EMR which included such protected health information (PHI) as physician Notes, Immunizations records, laboratory reports, medications, and physician orders. Record review indicated Temp 1 signed a Confidentiality of Patient/Employee and (Hospital) Business Information statement on 4/30/13. In addition, Temp 1 had taken a Hospital/Business Associate 'HIPPA Quiz" on 4/30/13 and had a passing score of 95%.Record review of the Hospital's Police Case Report Summary for case number 2013-00016527 indicated that the Police had confirmed that Temp 1 had accessed the protected health records of Patient 2 and Patient 3 without business justification. This record indicated that on 9/11/14 a detective (PO 1) spoke with Temp 1 and requested an interview with her regarding this matter. PO 1 told Temp 1 that she could bring an attorney with her. Temp 1 declined to be interviewed. PO 1 wrote "Based on my investigation, I believe there is probable cause to arrest (S) [Suspect] Temp 1 for violation of 502 (c)(2)PC (Two Counts)." Violation 502(c)(2)PC refers to "accessing data outside the scope of employment."On 11/24/14, PO 1 added to this case summary that Temp 1 "had been arrested and booked in Solano County for the warrant that had been issued in this case." The actual arrest took place on 11/21/14.The facility failed to ensure the confidentiality of Protected Health Information when a staff member, Temp 1, accessed seventy patients' electronic medical records without authorization and used this information to make harassing telephone calls to Patient 2, and may have attempted to use Patient 3's information to obtain a new credit card.The employee's action to access the patients' medical information for improper purposes violated Health and Safety Code 1280.15 and is therefore subject to the applicable civil penalty assessment.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280