Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHASTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on January 5, 2012. Also cited in 7 other reports.
Report ID: UCFP11.01, California Department of Public Health
Reported Entity: SHASTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure that Patient 1's medical information was protected from unauthorized disclosure. This failure allowed the general public to have access to Patient 1's medical information. * Patient 1's medical information was disclosed to News Agency A; * Patient 1's medical information was disclosed to News Agency B; * Patient 1's medical information was disclosed to hospital employees and medical staff; and* Patient 1's medical information was disclosed to News Agency C.Findings:(a) During an interview on 1/30/12 at 1:45 pm, Hospital General Council D stated he was notified that News Agency A was going to write an article regarding the hospital's care of a patient. Hospital General Council D further stated that News Agency A's reporter would not release the patient's name but had provided enough details that the hospital was able to identify Patient 1 as the subject of the proposed news article. Hospital General Council D revealed he received Patient 1's medical information from Hospital Chief Executive Officer (CEO) E, then forwarded it to Hospital Communications Director G to write a letter rebutting information from News Agency A's article. Hospital General Council D stated he did not secure Patient 1's permission to disclose her medical information.During an interview on 1/30/12 at 1:40 pm, Hospital Communication Director G confirmed that he received Patient 1's medical information from Hospital General Council D. Hospital Communication Director G stated he wrote and sent a rebuttal letter to News Agency A's reporter on 12/13/11 at 5:16 pm which disclosed Patient 1's diagnoses, lab values, medical/health consultations, and discharge information. Patient 1's name was not listed on this letter. Hospital Communication Director G acknowledged that he did not secure Patient 1's permission to disclose her medical information.(b) During an interview on 1/26/12 at 1:25 pm, Hospital CEO E stated that on 12/16/11, he was alerted by Hospital Media Relations Staff H that News Agency B was considering picking up the article regarding Patient 1 from News Agency A and reprinting it in their newspaper. He further stated that News Agency B was asking for the hospital's comment on the article that they were going to publish regarding Patient 1. Hospital CEO E further stated he asked Hospital Chief Medical Officer (CMO) F to review Patient 1's record and do a point by point analysis of the accuracy of the information in the article. On 12/16/11 at 4 pm Hospital CEO E, Hospital Media Relations Staff H, and Hospital CMO F took Patient 1's medical records pertaining to her admission, during early 2010, to News Agency B's Editor's office. Hospital CEO E stated that Hospital CMO F showed portions of Patient 1's record and discussed diagnoses, progress notes, lab values, medical/health consultations, and discharge information with News Agency B's Editor. Hospital CEO E confirmed he did not secure Patient 1's permission to disclose her medical information.During an interview on 1/5/12 at 1:55 pm, Hospital CMO F confirmed that she had gone to the office of News Agency B's Editor with Patient 1's record and had shown him portions of the record and discussed diagnoses, progress notes, lab values, medical/health consultations, and discharge information in hopes to dissuade News Agency B's Editor from publishing the article. Hospital CMO F further confirmed that she had not secured permission from Patient 1 to disclose her medical information.On 12/22/11, News Agency B's Editor had a blog that included an entry indicating he had chosen not to run the article from News Agency A. News Agency Editor B's blog included Patient 1's diagnosis and a consultation.(c) During an interview on 1/26/12 at 1:25 pm, Hospital CEO E stated that he issued a memo, dated 12/20/11 at 9:53 am, to all hospital employees and medical staff which included a side by side analysis of News Agency A's statements and the "actual facts" which included Patient 1's physicians' assessments, lab values, diagnoses, medical/health consultations, and discharge information. This memo did not disclose Patient 1's name but did reference the news article published by News Agency A (which did include Patient 1's name). Hospital CEO E stated he did not secure Patient 1's permission to disclose her medical information.On 1/5/12 at 12:45 pm, Staff I and J confirmed that they received the above memo, dated 12/20/11. They stated they knew who the patient was based on the information from News Agency A's article. On 1/5/12 at 12:50 pm, Hospital Privacy Officer K stated he was not consulted regarding the above memo and the first he knew of it was when he received it.On 1/30/12, Hospital CEO E was asked to produce a list of all the names of the people who received Patient 1's medical information in this memo. A list of 461 employees and a list of 324 medical staff was received (total = 785 employees).(d) During an interview on 2/1/12 at 9:51 am, News Agency C's reporter stated he received the above memo, dated 12/20/11, in an e-mail communication on 12/27/11 at 4:08 pm from Hospital Communications Director G. On 1/4/12, News Agency C's reporter published a news article that included a link to this memo on the Internet. On 1/30/12 at 1:40 pm, Hospital Communication Director G confirmed that he had not secured Patient 1's permission to disclose her medical information.On 1/26/12 at 8:55 am, Patient 1's family member stated neither she nor Patient 1 had given permission for the release of Patient 1's medical information to anyone at or associated with the hospital.On 1/30/12 at 3 pm, Patient 1 stated she had not given permission to anyone at or associated with the hospital for the disclosure of her medical information.On 1/26/12 at 1:25 pm, when asked what he would do different in retrospect, Hospital CEO E stated he would get the patient's permission first.
Outcome:
Fine imposed and deficiency cited by the California Department of Public Health: Health & Safety Code 1280