Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
UNIVERSITY OF CALIFORNIA SAN FRANCISCO MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on March 24, 2014. Also cited in 108 other reports.
Report ID: ZMTV11, California Department of Public Health
Reported Entity: UCSF MEDICAL CENTER
Issue:
Based on interview and record review, the hospital failed to protect the confidential information of patients when:1. an insurance verification form was emailed to the wrong patient.2. Post Pregnancy Instructions for two patients were mixed between the two patients and each received the other patient's information, and 3. the ex-wife of a patient reviewed his electronic medical record, without his written authorization, on 42 different occasions prior to their divorce.Findings:1. CA00389517During an interview on 4/1/14 at approximately 10:15 AM, the hospital's Privacy Analyst (PA) stated that on 2/24/14 a clerk in the Center for Reproductive Health emailed an insurance verification form for Patient 1 to another patient. The clerk realized the error immediately after the email was sent so the clerk contacted the recipient and requested that they delete and destroy the incorrect email. Review of the misdirected email indicated it contained the following protected health information: Patient 1's name, date of birth, Insurance Provider, procedure to be covered, and exclusions to coverage. Patient 1 was notified of this breach of her medical information by letter dated 2/27/14.CDPH was notified of this breach of medical information by fax on 2/28/14.2. CA00389535During an interview on 4/1/14 at approximately 10:30 AM, the PA stated that Patient 2 and Patient 3 were seen at the Center for Reproductive Health In Vitro Fertilization Clinic. Both women received "Post Pregnancy Instructions" but Patient 2 was handed Patient 3's instructions, and Patient 3 was handed Patient 2's instructions. This error was detected on 2/24/14.The discharge instructions contained the following protected health information:Patient name, date of birth, medication instructions, and estimated due date of the pregnancy.Both Patients were notified of this breach of medical information by letters dated 2/27/14.CDPH was notified of this breach of medical information by fax on 2/28/14.3. CA00389852During an interview on 4/1/14 at approximately 11:15 AM, the PA stated that based on a tip from an outside source, presumably Staff 1's ex-husband, the hospital did an audit of Staff 1's computer use on 2/26/14. This audit showed that over a period of approximately two years, Staff 1 had accessed her husband's electronic health record on 42 different occasions. The PA stated that during an interview Staff 1 said she had verbal authorization from her husband to review his electronic health record. The PA acknowledged that hospital policy required written authorization for spouses to access one another's records. The PA stated that Staff 1's unauthorized access to her husband's electronic medical record ceased when they were separated and has not recurred since their divorce.The Patient was notified of this breach of the information in his electronic medical record by a letter dated 2/28/14.CDPH was notified of this breach by fax on 3/3/14.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights