Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
MAMMOTH HOSPITAL
Cited by the California Department of Public Health for a violation of California’s Health and Safety Code relating to medical privacy during an inspection that began on December 8, 2014. Also cited in 15 other reports.
Report ID: B64C11, California Department of Public Health
Reported Entity: MAMMOTH HOSPITAL
Issue:
Based on interview and record review, the facility failed to ensure the confidential treatment of protected health information (PHI) for one patient (Patient A), when a patient access representative (Employee 1) inadvertently updated in error Patient A's home address in her electronic medical record (EMR). This resulted in Patient A's two bills and two refund checks being mailed to Patient A's emergency contact person's (ECP) address instead of Patient A's home address. This placed Patient A at risk for identity theft and the unauthorized release of PHI.During a phone interview with the Facility Privacy Officer (FPO), on May 19, 2015, at 2:30 PM, to investigate an entity reported incident of a breach of PHI for Patient A. The FPO stated that on October 23, 2013, Patient A called to schedule a physician's appointment. During that process, Employee 1 inadvertently changed the EMR of Patient A's home address to Patient A's ECP's address. The error was left undetected until May of 2014, when the facility sent Patient A's two bills and two refund checks via mail. Patient A was made aware of the incident through her ECP; however Patient A did not notify the facility of the error until her November 24, 2014, physician's appointment. The documents for Patient A were returned by ECP. A review of the documentation that had been mailed to Patient A included two medical bills and two checks that contained PHI which contained: Patient A's name, account number, and date of service.The facility's policy and procedure, titled "Reporting Requirements for Privacy and Security Related Incidents," dated October 23, 2013, indicated "...Personal Health Information (PHI) of a patient, is accessed or otherwise exposed to an individual who is not authorized to receive the PHI."The facility's failure to safeguard the documents containing Patient A's PHI placed Patient A at risk for identity theft and the unauthorized release of PHI.
Outcome:
Deficiency cited by the California Department of Public Health: Patients' Rights