Westcoast Children's Clinic notifies parents after sensitive info faxed to wrong number
Westcoast Children’s Clinic in Oakland recently notified the parents of a patient after a psychological assessment report containing the patient’s name, date of birth, current placement history, developmental and psychological treatment history, limited family history, educational history, current psychological concerns, testing data, results and interpretation, and treatment recommendations was faxed to an unintended recipient. The error occurred because one digit of the dialed fax number was off by 1.
The clinic learned of the April 16 incident on April 19, when the unintended recipient contacted them. According to the clinic, the recipient shredded the misdirected documents. A notification letter was sent to the parents on April 22.
A review of the incident indicated that the employee had not followed established protocols that would have prevented the error.
The employee will receive disciplinary sanctions consistent with the level of privacy breach and will be retrained in privacy practices. All of our employees will be contacted to remind them of the priorities in protecting health information.
Even if the unintended recipient shredded the documents, the information would presumably reside in the memory system of the recipient’s fax machine. I contacted Westcoast Children’s Clinic to inquire about that concern and was informed by Eric Kelly, their IT Director, that the IT person at the office where the fax was misdirected had indicated they would clear the memory on the machine and that Westcoast would be following up to confirm that this was done.
Of note, because California law only requires submissions to the Attorney General’s Office for breaches affecting more than 500 individuals, I had initially assumed that this breach affected more than 500 individuals. It was only in following up on the fax memory issue that I learned that this was a single-individual breach, as was their past report to the state. The previous breach report has been corrected to indicate that it was an N=1 breach. So I learned I cannot assume that every breach reported on California’s site really is an N>500 breach. This case has also reinforced the point that entities should obtain legal advice about their reporting obligations, as needlessly exposing breaches has the potential to inflict avoidable reputation harm and shake the confidence of patients or clients.