2015 Fines For Data Breaches Top $1M

The California Department of Public Health has fined six hospitals and two other healthcare providers more than $1.1 million so far this year for breaches of confidential patient information.

Records show the breaches are typically the result of patient data that was not properly secured either being lost or stolen, or employees inappropriately accessing patient records, often of family members or acquaintances. Health privacy experts say such types of breaches are common.

The CDPH has authority to fine hospitals up to $25,000 per breach of confidential patient information, although the agency typically caps fines at $250,000. The financial penalties are usually based on the severity of the breach and the facility’s ability to pay it.

The largest fines levied by the CDPH so far this year were $250,000 penalties against San Francisco General Hospital and Huntington Memorial Hospital in Pasadena. San Francisco General was penalized for a 2011 incident in which it was discovered that an employee had accessed the records of 98 patients without proper authorization. All of the patients were notified of the breach, and the employee was fired.

Huntington Memorial was penalized for a 2012 incident in which a hospital employee accessed the medical records of 17 patients, including fellow employees and her sister-in-law. The employee was fired.

A case involving Torrance Memorial Medical Center involving a prank carried out by a physician and a nurse that grabbed national headlines led to just a $25,000 fine of the facility by CDPH.

In that 2011 incident, an anesthesiologist placed stickers representing a mustache and teardrops on the face of a hospital employee who underwent a surgical procedure, and then a nursing assistant took that person’s picture. 

The incident grabbed national headlines in 2013 when the patient, identified by the Los Angeles Times as Veronica Valdez, sued for damages connected to the breach of privacy. The physician, Patrick Yang, M.D., kept his privileges to practice at the hospital, but no longer works with Torrance Anesthesia Medical Group, according to a list of physicians on its website. 

The nursing attendant, Patricia Gomez, was suspended by the hospital and placed on a disciplinary track that would have led to her firing for any other incidents. Two other employees were also disciplined for learning of the incident but not reporting it to their superiors.

Although Torrance Memorial officials self-reported the breach to CDPH, its management took issue with the final report from the agency, disputing assertions that several hospital employees were present in the operating room when the stickers were placed and Valdez’s photo was taken, and that the photo was circulated on Facebook, among others.

The Vale Healthcare Center, a nursing home in San Pablo, was fined $244,500 for a 2013 incident wherein information on 219 patients were stolen by the family member of one of the patients. The files were kept in accordion files at an unsecured reception desk at the entrance to the facility. Of the information taken, it was determined that 180 patients had had protected health information stolen.

Accent Home Healthcare in Foster City was fined $150,000 for a 2013 incident involving the theft of six patients’ protected health information from the car of an employee, which had been burglarized. The pilfered data included  patients' Social Security Numbers, dates of birth, addresses and phone numbers.

Among the other providers fined so far this year:

• Arrowhead Regional Medical Center in Colton was fined $95,000 for a 2011 incident in which a clerk looked up her husband’s medical records. He was being treated in the burn unit at the time for a serious allergic reaction to a medication. No action was taken against the employee, whose contract had ended prior to the discovery of the breach.

• Redlands Community Hospital was fined $92,500 for a 2010 incident wherein three hospital employees breached data belonging to three patients who were also hospital employees.

• Colusa Regional Medical Center was fined $6,000 for a 2011 incident where two of the hospital’s nurses accessed a patient’s medical record. The patient was the daughter of a local physician.