17 Facilities Cited For Privacy Breaches
At a time when concerns about patient privacy are regularly being raised by consumer advocates, the state’s hospital watchdog has been investigating and penalizing institutions with an approach that’s all but discreet.
The California Department of Public Health has issued 22 citations and more than $1.2 million in fines against healthcare facilities for breaches of patient privacy so far this year -- a record since it began issuing penalties in 2009. But the agency tucked the information in a corner of its website so obscure that a CDPH public information officer asked a reporter to email him a link to the page in order to answer his questions.
Public records indicate the CDPH has not publicly announced any fines for patient privacy breaches at hospitals since 2010. It’s issued four dozen penalties in the intervening years. A CDPH spokesperson said posting the citations on its website was the equivalent of a public disclosure.
The 2014 penalties involve 17 different institutions, including 13 hospitals, two outpatient clinics and two nursing homes. All of the breaches involved fewer than 20 patients, and most no more than one or two. Narratives involving three of the breaches suggest celebrity patients were involved. The incidents occurred primarily in 2010 and 2011.
The most egregious of the breaches involved St. Mary’s Medical Center in San Francisco, where in 2011 a registration clerk stole the medical records of 17 patients -- including several staff physicians who were themselves treated at the facility -- and sold the data to a Florida identity theft ring, who used it to create fake drivers’ licenses and credit cards. Patients notified the police when unauthorized credit card charges began appearing in their names. The hospital was fined $250,000 for the incident, which the CDPH said St. Mary's is appealing.
The hospital offered credit monitoring to the 17 impacted by the breach and agreed to subject all future hires to background checks. A spokesperson for the hospital, which is operated by Dignity Health, declined to comment.
Another Bay Area facility, San Francisco General Hospital, was penalized and fined $25,000 for a 2011 incident when a medical resident training in the emergency room posted the details of a pediatric patient resuscitated in the ER after an automobile accident to his Facebook account. Although the resident did not disclose the patient’s identity, he did disclose enough of the facts of the accident on his Facebook page that the patient’s identity could be discerned, CDPH investigators concluded.
The penalty is one of two the CDPH has issued this year for breaches involving the use of social media sites. Rick Kam, chief executive officer of ID Experts, a cybersecurity firm in Portland, Ore. that focuses on patient breaches, suggested that the use of social media platforms to violate patient privacy is on the rise, although in most instances they’re used to compile data on a patient in order to complete an identity theft.
San Francisco General was also cited for a 2010 incident when two voice recorders used by a physician to record details of the patients he was treating were lost. Neither of the recorders were encrypted as per hospital policy. The fine in that case was $250,000.
The hospital has been cited by the CDPH five times for patient confidentiality breaches five times since 2009 and six overall since state laws were passed in 2008 mandating a system fines for disclosures of patient health information.
Under those laws, the hospitals can be fined up to $25,000 for the first patient breach and $17,500 for each subsequent patient breach. The CDPH generally caps fines per incident at $250,000.
The patient confidentiality laws were passed after personnel at the UCLA Health system were found to be accessing the medical records of celebrity patients and selling them to tabloid media. Four of the incidents disclosed by the CDPH this year suggest that celebrity patients may have had their privacy breached.
UCSF Medical Center received a $249,500 fine for a 2011 incident when a physician had a camera stolen that contained dermatological photos and identifiers for several patients. The physician was obliged to keep the camera in his house, but left it in his car, which was burglarized. UCSF is appealing that penalty, along with a $25,000 fine for an other incident involving an employee inappropriately looking up outpatient clinic records.
In a 2010 incident, the Sequoias, a skilled nursing facility in San Mateo County, was penalized and fined $25,000 when an employee posted a notice on their Facebook account saying they were proud to have treated a single patient. The notice linked back to the patient’s own Facebook page, revealing their identity. The CDPH report indicated the patient was “a well-known public personality.” Sequoias is appealing the penalty.
Although the intention of the employees who used social media was not criminal, Deborah C. Peel, M.D., who heads Patient Privacy Rights, an Austin, Texas-based advocacy group, observed that it was both unprofessional and unethical.
“It’s incredibly inconsiderate, and even if you took off enough information from a post that you can’t identify a patient, you've still harmed them irreparably,” she said.
In 2011, an employee at Windsor Care Redding Center, a skilled nursing facility in Shasta County, was penalized when an employee took a photo of a showering female patient on their phone and sent it to a former employee. The photo included full-frontal nudity, and the report suggested the patient was a well-known figure.
The facility fired the employee immediately, and agreed to search and scour the Internet to ensure that no photos of the patient were ever posted. It was fined $42,500.
In a 2010 incident, three employees and a physician at Sierra Nevada Memorial Hospital in Grass Valley were found to have inappropriately accessed the medical records of a “well-known member of the community.” The employees received suspensions ranging from two to four weeks, and the physician received counseling. The hospital was fined $5,000.
It is one of two penalties Sierra Nevada has received this year. In another, a physician deliberately discussed a patient’s medical condition in front of three family members and three visitors in order to create “peer pressure” so he would be more likely to address his medical conditions. That also led to a $5,000 fine.
A 2010 incident at PIH Hospital in Downey involved two employees who accessed the CT scans of a patient in order to “establish the patient had been treated there,” and a third employee had suggested the patient’s name be replaced with an alias to protect their identity. The hospital was fined $42,500.
However, most of the breaches involved employees who accessed the medical data of patients they were either related to or knew, despite being trained that looking up such information could cost them their jobs.
Kam said such incidents were commonplace, accounting for up to 40% of medical data breaches. Peel said such incidents were often motivated by basic human nosiness.
Two penalties levied against Feather River Hospital in rural Butte County involved employees who looked up the medical data of family members or relatives of another employee in 2011. Those employees were either fired or resigned from their positions.
Feather River was fined a total of $92,500 for the incidents. It is appealing both cases.
Eastern Plumas Medical Center in Plumas County was penalized when a medical assistant looked up the medical records of her child, who was the subject of a custody battle at the time. The medical assistant lost her job as the result. The hospital was fined $2,500.
Peel noted that most hospital electronic medical records systems possess the basic flaw of being accessible by employees who never treat or interact with the patient directly.
“These are giant open databases of the most valuable information in the world,” she said.
