San Mateo Medical Center notifies patients after records erroneously recycled instead of shredded

Updated Feb. 22, 2019.  DataBreaches.net was notified that HHS had finally removed the disputed listing from their portal.  But when I checked, I found that it had not really been removed.  OCR had closed its case and moved the entry to its archived  list, with the following note:

On November 13, 2018, OCR received a breach notification report from San Mateo Medical Center (SMMC). SMMC reported that the breach affected approximately 5,000 individuals. After an internal investigation, SMMC determined that the report was filed in error, the incident did not amount to a breach and, the incident should not have been reported since no breach occurred. Based on this information, OCR closed the case.
Under the circumstances, it’s not clear why HHS didn’t just delete the entry entirely.
Previous Update: Note: Following publication of this story, DataBreaches.net was contacted by an SMMC employee who was very upset at what he claimed was inaccurate reporting by this site. He suggested that I do a “sanity-check” on reporting and was upset that I had reported that 5,000 patients were notified. I pointed out to him that the 5,000 figure came from HHS’s public breach tool. He backed off a bit and said he would investigate as that had not been reported to HHS. I never heard back from him or anyone else. As of Dec. 7, the 5,000 figure is still on HHS’s breach tool. So is the correct number 500 or  5000 or something else? At this point, DataBreaches.net is really not sure.

The San Mateo Medical Center has notified 5,000 patients at its Daly City Medical Center location of a breach.

A November 30 notice on its web site explains that SMMC  became aware on November 7, 2018 that on November 6, a

staff person at the Daly City Clinic left a box containing patient information under her desk overnight. The temporary housekeeping staff mistook the box for recycling and put the documents in the recycling bin and not the confidential bin for shredding.

SMMC was unable to determine whose records were in the bin, and so wound up notifying 5,000 patients.

In response to the incident, SMMC reinforced their policies about records to be shredded and eliminated the use of recycling bins altogether:

We regret that this incident occurred, and are reinforcing our policy that medical staff should place all documents with patient information in the confidential bin for shredding and not leave documents with patient information out overnight. A clinic site visit was conducted on November 8, 2018 and November 16, 2018. The clinic manager for Daly City instructed that recycling bins no longer be used and confidential information be immediately placed in a confidential shred bin.

Read their complete notification on their web site.

Related Posts:

About the author: Dissent

Comments are closed.