Search Privacy Violations, Breaches and Complaints
This database was last updated in December 2015 ago and should only be used as a historical snapshot. More recent data on breaches affecting 500 or more people is available at the U.S. Department of Health and Human Services’ Breach Portal.
RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Cited by the California Department of Public Health for violations of California’s Health and Safety Code relating to medical privacy during an inspection that began on October 29, 2014. Also cited in 123 other reports.
Report ID: I2CT11.02, California Department of Public Health
Reported Entity: RIVERSIDE COUNTY REGIONAL MEDICAL CENTER
Issue:
Based on interview and record review, the facility failed to notify the California Department of Public Health (CDPH) of the unauthorized disclosure of Patients 1 through 463's protected health information (PHI) within five business days after the disclosure had been detected by the facility. This resulted in a delay in the notification of CDPH.Findings:On October 29, 2014, at 7:45 a.m., an interview was conducted with the Assistant Administrator (AA) and the Hospital Administrative Surveyor (HAS). They stated: a. On September 25, 2014, the Rehabilitative Services Department Manager (RSDM) discovered one of the laptop computers used to access the patients' medical records, and to document the patients' treatments, was missing.b. On September 26, 2014, the HAS was notified of the missing portable laptop computer belonging to the RSD.c. On October 23, 2014, the County Information Security Officer (CISO) was notified of the missing RSD laptop computer.d. On October 23, 2014, the other two laptop computers in the RSD, which were used for the same function/similar service as the missing laptop computer, were analyzed. It was determined that "temporary files" were found on the computers which were the patients' physical therapy records and "face sheets," and the files were not encrypted (process of encoding messages or information in such a way that only authorized parties can read).On December 2, 2014, at 1:30 p.m., a subsequent interview was conducted with the HAS. She stated:a. The records for 463 patients were on the RSD missing laptop computer.b. The social security number, for 399 of the patients, was part of the information contained on the laptop computer. c. There were six minor children involved and the notification letters were sent to their parent's/guardian's.The individual who took the laptop computer received and had an opportunity to view Patients 1 through 463's PHI, which included name; date of birth; address; telephone number; medical record number; gender; date of service(s); treating physician; diagnosis; treatment received; health insurance information; and for 399 of the 463 patients, their social security number(s).Patients 1 through 463 were informed of the disclosure of their protected health information (PHI) via letters dated and mailed on December 1, 2014 (66 days after the unlawful or unauthorized access had been detected facility, and 59 days after the 5 business days the facility had in order to notify the patients in writing), to their last known addresses. The California Department of Public Health (CDPH) was notified via a telephone call on October 28, 2014, of the unauthorized access of Patients 1 through 463's PHI (32 days after the discovery by the facility, and 25 days after the 5 business days the facility had in order to report the breach in PHI to CDPH).The facility policy and procedure titled "Breach of Patient Privacy" reviewed July 8, 2014, revealed "... Report to the Appropriate Regulatory Agency(ies) ... Reports must be made to: CDPH, no later than five (5) business days after the unlawful or unauthorized access, use, or disclosure has been detected by (Name of facility). ..."
Outcome:
Deficiency cited by the California Department of Public Health: Health & Safety Code 1280