Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
CONTRA COSTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on February 25, 2014. Also cited in 103 other reports.
Report ID: 73NY11, California Department of Public Health
Reported Entity: CONTRA COSTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and document review, the facility failed to prevent unauthorized access to the protected health information (PHI) of five patients when a staff member sent information on the patients to her private email account.Findings:In interview on 2/25/14 at 1030 a.m., Staff A stated that the personnel office discovered on 1/10/14 that Staff B, an account clerk in the finance department, had sent email documention of five patient's PHI to her personal email account. Staff A stated that during an interview on 1/10 14, Staff B stated that she sent emails to her home account to preserve proof that she was doing her job. Staff B also sent the same emails to her boss and her union representive. She bcc.d (blind carbon copy to prevent recipients from knowing other recipients) the emails. Staff A stated that Staff B claimed that she sent the emails to her home account to preserve them because she thought there was a conspiracy against her to get rid of her. She thought she neede to be able to verify the work she was doing. Staff A stated that Staff B claimed others were deleting her office emails to cast blame on her for not doing her job.In interview on 2/25/14, Staff C stated that Staff B sent five emails that included patient information to her home account. She stated that in four cases, only patient name and medical record number were breached. The fifth email included name, date of birth, medical record number and social security number. Staff C stated that Staff B claimed that no one else ever saw the emails she sent to her home account. Document review on 2/25/14 demonstrated that in interview on 1/14/14, Staff B claimed that she did not remember receiving PHI training. Staff B stated that PHI rules only prevent talking about patient information concerning illnesses. She stated that she did not remember signing the statement that she had read the facility's confidentiality policy.Document review on 2/15/14 verified that Staff B had in fact taken the training on PHI required by the facility and was current.Document review on 2/25/14 verified that the facility informed the five patients and the department on 1/16/14, within five business days of discovery of the breaches.
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280