Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
ST MARY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 6, 2012. Also cited in 55 other reports.
Report ID: LTG611.01, California Department of Public Health
Reported Entity: ST MARY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to protect patients' medical information. This breach caused patients' protected health care information (PHI) to be released.Findings:a. The facility self-reported that Patient A's PHI intended for an insurance company was inadvertently sent to an incorrect insurance company. Review of the letter dated 5/24/12, stipulated that Patient A's ER (Emergency Room) record was inadvertently sent to an incorrect insurance company. The information disclosed included the following: name, medical record number, account number, insurance information, and social security number.During an interview with the health information officer on 6/20/12 at 3:35 PM she stated, "In admitting, the insurance eligibility was verified, the staff did not change the first name of the patient, the complete ER visit was sent to the wrong insurance company."b. The facility also self-reported that the PHI intended for a patient was inadvertently mailed to another patient. The breach involved 6 patients (Patient B, Patient C, Patient D, Patient E, Patient F, and Patient G), and included information on itemized billing statements.Review of the letters mailed to each patients (Patient B, Patient C, Patient D, Patient E, Patient F, and Patient G) dated 5/24/12 stipulated that a copy of the billing statement may have been inadvertently mailed to another patient. The information disclosed included the following: a. Name.b. Medical record number.c. Account Number.d. Insurance information.e. Tests performed.During an interview with the health information officer on 6/20/12 at 3:35 PM, she confirmed inappropriate disclosure of PHI. The officer stated that 1 patient called the finance department indicating "Has somebody's information." The officer also stated, "The lady in the finance department billed only 6 patients, so not sure who the patient was, notified the 6 patients."Review of the policy and procedure titled "Disclosure of Protected Health Information by Fax Policy", revised 1/20/12 indicated, "Each page intended to be faxed must be reviewed by the sender to ensure that it is applicable to the patient whose information is being requested, and to confirm that another patient's information is not included with the documentation." Review of the policy and procedure titled "Minimum Necessary Standard for Use, Disclosure, and Request of Protected Health Information" revised on 1/2012 stipulated, "When using or disclosing PHI ... Workforce member must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request."
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights