Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SUTTER SANTA ROSA REGIONAL HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on August 30, 2013. Also cited in 15 other reports.
Report ID: T6OZ11, California Department of Public Health
Reported Entity: SUTTER SANTA ROSA REGIONAL HOSPITAL
Issue:
Based on interview and record review, the facility failed to prevent unauthorized access and disclosure of three patients' (Patient 1, Patient 3, and Patient 4) medical information when: 1) Patient 1's Emergency Department discharge instructions and prescription were handed to Patient 2; 2) Patient 3's medical record information was faxed to a private party; and 3) Patient 4's medical information was opened and read during a computer hacking incident. These failures allowed the unlawful or unauthorized access of protected health information.FindingsCA 00367581 The California Department of Public Health was notified on 8/27/13 that a, "Breach of Protected Health Information (PHI)", occurred on 8/25/13.During an interview on 8/30/13 at 1:15 p.m., Administrative Staff A stated that, on 8/26/13, her department was notified by Manager D that she had been contacted by Patient 2, who returned the discharge instructions and prescription for Patient 1 that she had received the day before, 8/25/13. The PHI consisted of Patient 1's discharge instruction summary with her name, physician seen, department seen in, reason for being seen, and medication prescription.Administrative Staff A also stated that the breach occurred on 8/25/13 after both patients had seen Physician C, with the same complaint, and Licensed Staff B handed out Patient 1's discharge instructions and prescription in error to Patient 2. Administrative Staff A further stated that it was an error, in not following policy and procedure, when Licensed Staff B handed Patient 2 the discharge information for Patient 1, without double checking Patient 2's identity and comparing it to the discharge and prescription sheets. CA00367927The California Department of Public Health was notified on 8/29/13 that a, "Breach of Protected Health Information (PHI)", occurred on 8/27/13.During an interview on 8/30/13 at 1:30 p.m., Administrative Staff A stated that she was notified, on 8/27/13, by Unlicensed Staff E, that Private Party G had received a faxed copy of Patient 3's medical record information in error.The PHI contained Patient 3's: name, medical record number, account number, race, age, gender, address, brother's name/address/phone number. sister's name/phone number, insurance carriers' name/address, allergies, three physicians' names, history/physical, diagnoses, progress notes, current medication list, inpatient room number, and laboratory results. Administrative Staff A also stated that it was an error, on the part of Plan Representative F, in that she gave the wrong fax number to Unlicensed Staff E when requesting PHI for Patient 3 be sent to the insurance carrier on 8/27/13. The correct fax number started with 545 and the fax number for Private Party G, given in error by Plan Representative F, started with 575.CA00367929The California Department of Public Health was notified on 8/29/13 that a, "Breach of Protected Health Information (PHI)", occurred on 8/27/13.During an interview on 8/30/13 at 1:45 p.m., Administrative Staff A stated that, on 8/27/13, she was notified by Security Analyst H who told her that the Information Technology Security System had detected a hacking job, by Computer Hacker I, into Physician J's Outlook Web account. The account review, by Security Analyst H, included 4,000 e-mails only one of which included a letter with PHI belonging to Patient 4. Patient 4's PHI included, his name, discharge status, discharge date, legal hold, and room locations.Physician J's e-mail account was canceled and a reconfigured account established without being able to establish how Dr. J's computer login information was obtained. A review of the facility Policy and Procedure for, "Workforce Confidentiality/Privacy and Appropriate Use of Facility Property", (no date), reveals the following: "C. Access and Use of Patient and Business Information...3. Workforce members are expected to adhere to the following guidelines in order to maintain security and confidentiality: a. Ensure recipients of confidential information are authorized to receive it. Verify identities of recipients before releasing any information".A review of the facility Policy and Procedure for, "Confidentiality of Patient Care Information", (10/10), reveals the following: "I. POLICY Persons receiving health care services have the right to expect that the confidentiality of individually identifiable medical information will be reasonably preserved. Information regarding the hospital's patients' medical or personal status will not be released or disclosed inappropriately...III. APPLICATION OF POLICY A. All patient-related information is confidential. It will be shared only with those persons that have a legal right (i.e. the patient or the patient's surrogate) or a legitimate work-related need to know".
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280