CDPH Issues Penalties to Hospitals for Privacy Breaches (Updated)

You know all those monetary penalties HHS generally doesn’t hand out? Well, the state of California does when it enforces Section 1280.15 of the California Health and Safety Code.

Earlier this year, the California Department of Public Health (CDPH) announced it had issued monetary penalties this year to the following hospitals after investigations into privacy breaches.  Links below lead to the complaint investigation summary for the entity, and I’ve annotated each entry with additional information summarizing the breach and reporting the amount of the fine in italics.

Colusa County  

Colusa Regional Medical Center
199 E. Webster St, Colusa 95932 – Survey findings on breach of confidential patient medical information issued by the department on 7/19/2011. Two employees accessed, without authorization, the medical records of a patient who was the daughter of a local physician. The medical center was fined $6,000 for this breach. 

Contra Costa County

Vale Healthcare Center
13484 San Pablo Ave, San Pablo 94806 – Survey findings on breach of confidential patient medical information issued by the department on 1/17/2014. An investigation found that the center failed to adequately protect 180 of 219 sampled residents’ PHI when it left accordion files containing residents’ personal and financial  records at an unattended and unsecured reception desk located at the main entrance to the facility. The files were stolen by a visitor. The center was fined $244,700.00 for this breach, and appealed it. 

Los Angeles County

Huntington Memorial Hospital
100 W. California Blvd, Pasadena 91105 – Survey findings on breach of confidential patient medical information issued by the department on 5/04/2012. An employee accessed 17 patients’ EMR without authorization. The hospital was fined $250,000 and appealed. 

Torrance Memorial Medical Center
3330 Lomita Blvd, Torrance 90505 – Survey findings on breach of confidential patient medical information issued by the department on 4/22/2013. Note that the Torrance Memorial Medical Center incident had been noted on this blog previously. The medical center was fined $25,000 for this breach. 

San Bernardino County

Arrowhead Regional Medical Center
400 North Pepper Ave, Colton 92324 – Survey findings on breach of confidential patient medical information issued by the department on 12/09/2011. A patient’s medical records were wilfully breached five times by an employee who was a relative of the patient. The medical center was fined $95,000 for this breach.

Redlands Community Hospital
350 Terracina Blvd, Redlands 92373 – Survey findings on breach of confidential patient medical information issued by the department on 5/04/2010. A routine audit detected that three employees had accessed, without authorization, three patients’ records. The three patients were also on staff at the hospital. The hospital was fined $92,500.00.

San Francisco County

San Francisco General Hospital
1001 Potrero Ave, San Francisco 94110 – Survey findings on breach of confidential patient medical information issued by the department on 5/16/2011. A staff person accessed 98 patients’ records without authorization. The hospital was fined $250,000 for the breach. This was not their first big fine for a privacy breach, either. They’ve been fined $187,500.00 for a 2009 breach,  $250,000.00 for a 2010 breach reported previously on this site, and $250,000.00 for a 2011 breach. And that’s just the big fines. There have been other privacy/security breaches they’ve also been fined for by CDPH. 

San Mateo County

AccentCare Home Health of California, Inc.
1065 E. Hillsdale Blvd Suite 100B, Foster City 94404 – Survey findings on breach of confidential patient medical information issued by the department on 11/21/2012. The agency failed to protect six patients’ personal and medical information when a clinician left their records unattended and unsecured in her personal vehicle which was then burglarized while she was watching a football game at a restaurant. I was unable to locate the amount of the fine for this one, and have emailed CDPH to inquire. [UPDATE: CDPH informs me that the fine was $150,000 and AccentCare has appealed it.]

 

About the author: Dissent