Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
KERN MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 11, 2015. Also cited in 23 other reports.
Report ID: 66PM11, California Department of Public Health
Reported Entity: KERN MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access to one patient's (Patient Y) electronic medical record (EMR). This failure resulted in an intentional breach of Patient Y's medical information by health care provider(s) not involved in Patient Y's medical care.Findings:During a review of the online Self-Reported Breach dated 3/5/15, the Risk/Compliance Coordinator (RCC), conducted a "privacy breach" audit of the facility's EMR on 2/13/15. Upon reviewing this audit, she detected the name of a medical doctor (MD 1) who worked for the Urology (branch of medicine that focuses on the surgical and medical diseases of the male and female urinary tract system and the male reproductive system) Department. She stated Patient Y had no urological issues during this admission. The incident occurred on 1/16/15 when Patient Y was brought to the facility's Emergency Department (ED). Patient Y is the son of a Nurse Practitioner (NP 1) who also worked for the facility and shared an office with MD 1. RCC 1 interviewed both MD 1 and NP 1; both denied accessing Patient Y's EMR. MD 1 denied sharing his login access with anyone. During an interview with RCC, on 3/11/15, at 2:15 PM, she stated Patient Y was brought to the ED on 1/16/15 after midnight. She stated NP 1 came to the ED to visit Patient Y and entered via ED ambulance entrance by using her identification (ID) badge. RCC stated a friend of NP 1 who was also a Nurse Practitioner (NP 2) at their facility entered via ED ambulance entrance by using her ID badge. She stated both NP 1 and NP 2 wore their ID badges during their visit with Patient Y at the ED. During a follow-up interview with RCC, on 5/1/15, at 3:16 PM, she stated all the unauthorized accesses came from NP 1's computer. She stated when she interviewed MD 1's and NP 1's office staff, she was informed they had not witnessed MD 1 ever used NP 1's computer; however, NP 1 was witnessed to assist MD 1 with his efforts to access the computer. MD 1 was not available for interview; he no longer works for the facility. NP 1 was not available for interview.During a review of the SURGERY DEPARTMENT/ ENT (Ear-Nose-Throat)/PLASTIC/ORTHO (Orthopedic, branch of surgery dealing with muscles and bones)/NEURO (Neurology, branch of medicine dealing with disorders of the nervous system) SCHEDULE January 12, 2015 - February 8, 2015, NP 1 was covering for the Urology Department on 1/16/15, 8 AM to 4 PM. The SURGERY FACULTY ON CALL SCHEDULE 1/12/15 - 2/8/15, indicated MD 1 was covering for Urology on 1/16/15 (Friday) until 2 PM. During a review of the audit trail conducted by RCC 1, on 2/9/15, at 12:56 PM, MD 1's name was on six different occasions of unauthorized accesses to Patient Y's EMR. The accesses were on 1/16/15, at 3:04 PM to 3:10 PM.During an interview with the Staff Support Secretary (SSS 1), on 5/4/15, at 11:40 AM, she stated MD 1 usually leaves before noon on the Fridays of his weekend to go home. She stated MD 1 lived 5 hours away. She stated on 1/16/15, MD 1 was to take coverage till 2 PM. She stated he must have left at 2 PM as soon as his relief person came in.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280