Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on June 25, 2014. Also cited in 123 other reports.
Report ID: PTU511, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to ensure all patient protected health information (PHI) was kept protected, which resulted in the unauthorized access of the patients' confidential information (Patients 1 through 563). Patients 1 through 563's confidential information was contained on a laptop computer which was discovered missing from the Neurodiagnostic Department on June 18, 2014. This resulted in the unauthorized disclosure of Patients 1 through 563's protected health information (PHI).Findings:On June 25, 2014, at 3:10 p.m., an interview was conducted with the Administrative Services Officer (ASO). She stated: a. On June 18, 2014, a staff member of the Neurodiagnostic Department discovered the laptop computer used to perform Electromyography (EMG - procedure for evaluating and recording the electrical activity produced by skeletal muscles during rest and activity) was missing.b. On June 17, 2014, the laptop computer had been used to perform the EMGs for the day and the computer data had been "backed-up" on a disk that evening which verified the PHI, for 563 patients, was on the laptop computer. c. The disk showed the information on the laptop computer effected patients seen from September 2012, to date, in the Neurodiagnostic Department, for an EMG either as an inpatient or as an outpatient.d. EMGs were only done on Tuesdays and Thursdays, and the room were the laptop computer was located was used for other procedures on Mondays, Wednesdays, and Fridays.e. The laptop computer was "secured by a Velcro strap to a cart," no security code was required to access the computer files, the patient files were "not encrypted," and the patient files were stored on the hard drive of the laptop computer.f. A police report was filed and the local media was contacted.The individual who took the laptop computer received and had an opportunity to view Patients 1 through 563's PHI, which included name, date of birth, medical record number, gender, date of service, name of physician interpreting the results, referring physician's name, indication for the EMG diagnostic procedure, EMG procedure results, and medical history.Patients 1 through 563 were informed of the disclosure of their protected health information (PHI) via letters dated and mailed on June 24, 2014, to their last known addresses. The California Department of Public Health (CDPH) was notified via a telephone call on June 24, 2014, of the unauthorized access of Patients 1 through 563's PHI.The Secretary of Health and Human Services (HHS) was notified on June 24, 2014.The media was informed on June 24 and 25, 2014.The facility policy and procedure titled "Computer Access and Use" revised April 11, 2005, revealed "... Security standards for computer workstations, electronic devices, and media controls will be implemented and maintained in compliance with the HIPAA Security Rule to protect the confidentiality, integrity, and availability to authorized users of electronic protected healthcare information (ePHI). ... Unique user identification and password(s) must be used by each user in compliance with the HIPAA Security Rule ... Whenever possible, workstations will be located in secure areas behind locked doors or in other private areas of the hospital not open to the general public. ... Furthermore, confidential information shall not be saved to the personal computer hard drive (e.g., "c" drive) or to any other drive on the personal computer/workstation. Confidential information/documents created by the user that need to be retrieved at a later date must be saved to the (facility name) "P" drive or to disks that are kept in an (facility name) secured location. ..."The facility policy and procedure titled "Patient Privacy, Confidentiality, Medical Records, and Access to, or Release or Disclosure of, Patient Information" revised January 2, 2009, revealed "... In compliance with State law, upon identification of unlawful or unauthorized access to or use or disclosure of patient healthcare/medical information, a report to both the patient and California Department of Public Health (CDPH) will be made within no more than five (5) days from the identification documented by the Compliance & Privacy Officer. ... The report to CDPH will be by phone or FAX to the local district office. ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280