Notice and Information Regarding Disclosure of Patient Information

Rady Children’s Hospital-San Diego has notified all affected families with working contact information by phone and/or letter about two instances in which patient information was disclosed by mistake.

Both cases were human error. The security of the Hospital’s information systems was not compromised.

In the first case, on June 6, 2014, an employee of Rady Children’s by mistake emailed a spreadsheet containing patient names and other information to four job applicants. The employee, who had approved access to the information, intended to send a training file to test the applicants, but attached elements of patient information by mistake.

The spreadsheet contained information on 14,121 patients admitted to Rady Children’s between July 1, 2012 and June 30, 2013. It did not contain patient medical records. It included patients’ names, dates of birth, primary diagnoses, admit/discharge dates, medical record numbers, and other information used for billing including provider and claim information. The email did not contain social security numbers, personal insurance account numbers or credit/debit card numbers, street addresses, or parent and guardian names.

Rady Children’s learned of this incident late in the day on June 10, 2014, and immediately contacted the four individuals who received the emails. Through our interviews with the individuals, we learned that one of them forwarded the email to two other people. Of the six individuals, two were unable to open the file.

Each recipient in this first case confirmed in writing they have removed the email and spreadsheet attachment. An independent information security firm is verifying that the patient information was removed from the recipients’ devices.

Rady Children’s internal investigation included reviewing if any other area had used “training files” for testing competency.  We discovered one other instance of patient information having been shared in error.

In this case, in 2012, an employee emailed a training exercise, containing very limited patient information, to test three job candidates. Prior to then, six other job applicants came to the Rady Children’s campus to take the test on a Rady Children’s computer, but had no ability to personally use or send the information.

That spreadsheet contained information on 6,307 patients, who were registered for inpatient or outpatient treatment between June 30, 2009 and June 30, 2010. It did not contain patient medical records.  It included patients’ names, discharge dates, location they were seen, and account information such as the payor name and balance.  The spreadsheet did not include dates of birth, diagnoses, street addresses, social security numbers, personal insurance account or credit card numbers. Notification letters were mailed to affected families and Rady Children’s has notified the appropriate regulatory agencies.

Rady Children’s has taken action to prevent this from happening again, including:

  • Using only commercially available and validated testing programs to evaluate job applicants and only test candidates onsite.
  • Working to enhance information security and automated screening to flag emails that may contain potential protected health or other sensitive information, and require an added level of approval before it can be sent.
  • Working with our email encryption provider to further strengthen our protection of sensitive data.
  • Continuing to provide employees with education regarding privacy policies. We are using these incidents as examples to better inform our leadership team and employees about the need to protect patient information and the importance of the policies we have in place and train them in these new measures we are taking.

Families who believe they might be part of the two affected groups (patients admitted to Rady Children’s between July 1, 2012 and June 30, 2013 and patients who were registered for inpatient or outpatient treatment between June 30, 2009 and June 20, 2010) and did not receive a phone call or letter may call toll free (877) 615-3801 for more information.

Rady Children’s deeply regrets that this incident occurred and extends our sincerest apologies to those affected families. The security of patient information is of great importance to Rady Children’s. Please be assured that our patients’ information and our systems remain secure.

Donald B. Kearns, M.D.
Acting President
Rady Children’s Hospital-San Diego

Christina Galbo, MBA, CHC
Chief Compliance & Privacy Officer
Rady Children’s Hospital-San Diego

 

Posted June 20, 2014