Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
SHASTA REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 8, 2013. Also cited in 7 other reports.
Report ID: R6ZF11.01, California Department of Public Health
Reported Entity: SHASTA REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to safeguard confidential health information for three patients (Patients 1-3) when an employee posted protected health information on the internet. This failure resulted in the unauthorized disclosure of confidential health information outside the facility.Findings: On 7/26/13, the California Department of Public Health was notified by the hospital that they had received notification that a former employee (EMP 5) had posted pictures containing patient private health information (PHI) on his personal Facebook site.On 10/8/13 at 2 pm, the Director of Human Resources (DHR) stated that EMP 5 was hired on 7/6/12 to work in the housekeeping department within the Environmental Services Department. The hospital terminated EMP 5's employment on 3/22/13, for faxing an unauthorized memo and pictures to multiple departments containing untrue statements about the environmental services of the hospital. In a concurrent interview and review of photographs printed from Facebook, with the DHR on 10/18/13 at 2 pm, it was revealed that the hospital was notified by an employee of the hospital that they had discovered postings by EMP 5 on a Facebook site on 7/26/13. There were a total of 21 posted pictures of linen and laundry carts, trash containers, and patient care equipment. The posting on the Facebook page also had comments by each photo that they were taken at the hospital. The postings contained a picture of EMP 5 with his name on each of the posted pages. The DHR stated that during the investigation of this potential breach of PHI it was discovered that 3 photographs of medication administration bags posted, contained the names of three separate patients (Patients 1, 2 and 3) in addition to the name of the medication that each of the patients was receiving. The dates on the used patient medication bags posted were in 12/2012.On 10/8/12, the hospital's employee agreement, titled, "Confidentiality Policy/HIPPA Acknowledgement Agreement," signed by EMP 5 on 6/26/2012, read, "Any information concerning patient's illness...is strictly confidential. Under the Health Insurance portability and accountability Act ('HIPPA") there are penalties both civil and criminal for failure to comply with HIPPA requirements."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280