San Mateo Medical Center notifies patients after records erroneously recycled instead of shredded
Updated Feb. 22, 2019. DataBreaches.net was notified that HHS had finally removed the disputed listing from their portal. But when I checked, I found that it had not really been removed. OCR had closed its case and moved the entry to its archived list, with the following note:
On November 13, 2018, OCR received a breach notification report from San Mateo Medical Center (SMMC). SMMC reported that the breach affected approximately 5,000 individuals. After an internal investigation, SMMC determined that the report was filed in error, the incident did not amount to a breach and, the incident should not have been reported since no breach occurred. Based on this information, OCR closed the case.
The San Mateo Medical Center has notified 5,000 patients at its Daly City Medical Center location of a breach.
A November 30 notice on its web site explains that SMMC became aware on November 7, 2018 that on November 6, a
staff person at the Daly City Clinic left a box containing patient information under her desk overnight. The temporary housekeeping staff mistook the box for recycling and put the documents in the recycling bin and not the confidential bin for shredding.
SMMC was unable to determine whose records were in the bin, and so wound up notifying 5,000 patients.
In response to the incident, SMMC reinforced their policies about records to be shredded and eliminated the use of recycling bins altogether:
We regret that this incident occurred, and are reinforcing our policy that medical staff should place all documents with patient information in the confidential bin for shredding and not leave documents with patient information out overnight. A clinic site visit was conducted on November 8, 2018 and November 16, 2018. The clinic manager for Daly City instructed that recycling bins no longer be used and confidential information be immediately placed in a confidential shred bin.