Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
LOMA LINDA UNIVERSITY MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on May 19, 2015. Also cited in 44 other reports.
Report ID: YUIF11.01, California Department of Public Health
Reported Entity: LOMA LINDA UNIVERSITY MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment Patient A's protected health information (PHI) when a Licensed Vocational Nurse (LVN 1) faxed Patient A's laboratory order requisition document to an unintended recipient. This resulted in an unauthorized disclosure of Patient A's PHI.Findings:On May 19, 2015 at 1:50 PM, a phone interview was conducted with the Compliance Specialist regarding an entity reported incident of a breach of Patient A's PHI. The Compliance Specialist stated the LVN 1 faxed a laboratory order requisition document to an unintended recipient.The Compliance Specialist stated the facility detected the breach on April 16, 2015, when the unintended recipient notified the facility of receiving Patient A's laboratory order requisition document which contained Patient A's name, gender, date of birth, age, address, last four digits of social security number, identification number, account number, laboratory test names, and diagnoses codes. A formal letter of notification was sent to Patient A of the breached PHI, and provided a copy of the letter for review.On June 10, 2015 at 10:00 AM, a phone interview was conducted with LVN 1 regarding this entity reported incident. LVN 1 stated she was faxing a laboratory order requisition document for Patient A to the laboratory facility where Patient A's goes to get her laboratory procedures done. While on the phone with Patient A, the LVN 1 looked up, on the computer, the laboratory facility Patient A uses and verified with Patient A that it was the correct laboratory. LVN 1 stated the patient (Patient A) said it was. LVN 1 stated she faxed the laboratory order requisition document using the fax number from the laboratory facility's web site.LVN 1 stated she did not call the laboratory facility prior to faxing the laboratory order requisition document to verify the web site fax number was the correct fax number for the specific laboratory facility which Patient A has her laboratory procedures completed.A copy of the letter of notification sent to Patient A dated May 6, 2015, informing her about the breach of PHI was reviewed.A review of the laboratory order requisition document indicated Patient A's name, gender, date of birth, age, address, last four digits of social security number, identification number, account number, laboratory test names, and diagnoses codes.A review of the facility's policy and procedure titled, "Fax Security" dated June 2013, indicated "Prior to pushing 'Send / Start / Go' on fax machine, the sender shall confirm that the number dialed is correct.The facility failed to ensure Patient A's laboratory order requisition document was faxed to the intended recipient resulting in an unauthorized release of Patient A's PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights