Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 29, 2014. Also cited in 123 other reports.
Report ID: I2CT11.01, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patients' confidential information (Patients 1 through 463). Patients 1 through 463's confidential information was contained on a laptop computer which was discovered missing from the Rehabilitative Services Department (RSD) on September 25, 2014. This resulted in the unauthorized disclosure of Patients 1 through 463's protected health information (PHI).Findings:On October 29, 2014, at 7:45 a.m., an interview was conducted with the Assistant Administrator (AA) and the Hospital Administrative Surveyor (HAS). They stated: a. On September 25, 2014, the Rehabilitative Services Department Manager (RSDM) discovered one of the laptop computers used to access the patients' medical records, and to document the patients' treatments, was missing.b. On September 26, 2014, the HAS was notified of the missing portable laptop computer belonging to the RSD.c. On October 23, 2014, the County Information Security Officer (CISO) was notified of the missing RSD laptop computer.d. On October 23, 2014, the other two laptop computers in the RSD, which were used for the same function/similar service as the missing laptop computer, were analyzed. It was determined that "temporary files" were found on the computers which were the patients' physical therapy records and "face sheets," and the files were not encrypted (process of encoding messages or information in such a way that only authorized parties can read).On December 2, 2014, at 1:30 p.m., a subsequent interview was conducted with the HAS. She stated:a. The records for 463 patients were on the RSD missing laptop computer.b. The social security number, for 399 of the patients, was part of the information contained on the laptop computer. c. There were six minor children involved and the notification letters were sent to their parents/guardians.The individual who took the laptop computer received and had an opportunity to view Patients 1 through 463's PHI, which included name; date of birth; address; telephone number; medical record number; gender; date of service(s); treating physician; diagnosis; treatment received; health insurance information; and for 399 of the 463 patients, their social security number(s).Patients 1 through 463 were informed of the disclosure of their protected health information (PHI) via letters dated and mailed on December 1, 2014 (66 days after the unlawful or unauthorized access had been detected facility, and 59 days after the 5 business days the facility had in order to notify the patients in writing), to their last known addresses. The California Department of Public Health (CDPH) was notified via a telephone call on October 28, 2014, of the unauthorized access of Patients 1 through 463's PHI (32 days after the discovery by the facility, and 25 days after the 5 business days the facility had in order to report the breach in PHI to CDPH).The facility policy and procedure titled "Computer Access and Use" revised December 2011, revealed "... Security standards for computer workstations, electronic devices, and media controls will be implemented and maintained in compliance with the HIPAA Security Rule to protect the confidentiality, integrity, and availability to authorized users of electronic protected healthcare information (ePHI). ... Unique user identification and password(s) must be used by each user in compliance with the HIPAA Security Rule ... Whenever possible, workstations will be located in secure areas behind locked doors or in other private areas of the hospital not open to the general public. ... Furthermore, confidential information shall not be saved to the personal computer hard drive (e.g., "c" drive) or to any other drive on the personal computer/workstation. Confidential information/documents created by the user that need to be retrieved at a later date must be saved to the (facility name) "P" drive or to disks that are kept in an (facility name) secured location. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280