Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COMMUNITY HOSPITAL
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 18, 2014. Also cited in 64 other reports.
Report ID: 0CBJ11.01, California Department of Public Health
Reported Entity: RIVERSIDE COMMUNITY HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure for five patients (Patient A, B, C, D, and E), that their protected health information (PHI) was not disclosed to another patient (Patient F). This failure resulted in unauthorized access to each of these patients' demographic information and the potential for misuse of the information.Finding:On March 12, 2014, the California Department of Public Health received a letter from the facility indicating five patients' protected health information was disclosed without authorization. The letter indicated information disclosed included Patient A, B, C, D, and E's demographic information. On March 18, 2014, at 9:30 a.m., the Facility Privacy Officer (FPO) was interviewed. The FPO stated the facility's main corporate office became aware of the breach on January 20, 2014, when an unknown person delivered a box containing a large number of documents to a corporate facility in Colorado. The FPO stated she was informed about the incident on March 6, 2014. The FPO stated on December 10, 2013, a business associate inadvertently sent a file containing 1000 patient billing statements to another business associate. The file was inadvertently printed and 250 documents were sent to four patients. The facility became aware when one patient hand delivered the documents to a local corporate facility on January 20, 2014. The FPO stated the information disclosed included Patient A, B, C, D, and E's demographic information including patient name, address, patient account number, admission and discharge date, original charges, payments and discounts. The FPO stated the facility's corporate office conducted the investigation. February 7, 2014, was identified as the date the breach was confirmed by the corporation. The FPO did not know why there was a delay in the facility being informed about the breach. The letters sent to each of the five patients were reviewed on March 18, 2014. Each of the five letters had a mailing date of March 7, 2014. The letters indicated, "We are writing to inform you that we discovered on February 7, 2014, your personal information contained in your records at Riverside Community Hospital may have been advertently disclosed to another patient." The policy and procedure titled "Safeguarding Protected Health Information," with an effective date of November 1, 2012, indicated "the facility must take reasonable steps to safeguard and protect PHI...States may have separate laws that may apply additional legal requirements."The facility policy and procedure titled "Protected Health Information Breach Notification," with an effective date of October 12, 2009, was reviewed. The policy indicated: "Any Company-affiliated facility in the case of a breach of unsecured PHI, must notify the patient or their personal representative without reasonable delay and in no case later than 60 days of discovering the breach." The policy continues: "A breach is considered discovered as of the first day on which the breach is known by the business associate and/or the facility." According to the policy a breach is the unauthorized acquisition, access, use, or disclosure of unsecured, unencrypted PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280