Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
COMMUNITY HOSPITAL OF SAN BERNARDINO
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on July 18, 2014. Also cited in 46 other reports.
Report ID: R4OB11.02, California Department of Public Health
Reported Entity: COMMUNITY HOSPITAL OF SAN BERNARDINO
Issue:
Based on observation, interview, and record review, the facility failed to ensure that 15 patient's (Patients A, B, C, D, E, F, G, H, I, J, K, L, M, N and O), confidential medical information was protected, when a list containing PHI was inadvertently emailed to the wrong email address.This resulted in a breach of protected health information for all 15 patients.Findings:On July 31, 2014 at 8:40 AM, a phone interview was conducted with the Facility Privacy Officer (FPO), she stated, " Employee 1 inadvertently emailed a list containing the names and other PHI, for 15 patients, to an unintended email address (Recipient B) outside of our facility. Employee 1 had entered the first two letters of the the intended email recipients first name (Recipient A), which were the first two letters of Recipient B's first name and sent the email without confirming that it was the correct email address."On July 31, at 9:25 AM, during a telephone interview with the Admitting Manager, when asked how she became aware of the breach, she stated," Employee 1 informed me of the error on January 4, 2013. Employee 1 had a telephone conversation with Recipient B, either on January 3 or 4, 2013 and that was when Employee 1 realized that she had sent the list in error to Recipient B's email. Employee 1 asked Recipient B not to open the email. Employee 1 had also said the the FPO at that time had made contact with Recipient B." During interview, neither the FPO or the Admitting manager could confirm that the PHI for all 15 patients had been retrieved or destroyed.The confidential list emailed by Employee 1 to Recipient B, included the following PHI for fifteen (15) patients:a. Patient Namesb. Health plan account numbersc. Date of Birthd. Account numberse. Chief complaintf. Physicians nameg. Referral information givenA review of the facility policy and procedure titled, "Email Policy", dated January 17, 2012, it indicated:"A. When sending email to recipients with email boxes located inside the (facility name) network or when sending email messages to other recipients in the Global Address List (GAL):1. Use reasonable care in typing and selecting the names of recipients and selection of any distribution lists."2. Ensure that distribution list (s) contains only recipients internal to (facility name).""E. User Responsibilities:"1. All messages containing PHI or Personal Information are classified as sensitive and must be safeguarded in accordance with facility policy on Safeguarding PHI and Sensitive Information."The failure of Employee 1 to use reasonable care in selecting the correct email recipient resulted in the breach of PHI for fifteen (15) patients.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights