Files Containing Patient Information Released in Error
In the past week, Rady Children’s Hospital-San Diego discovered two instances in which patient medical information was shared by mistake. Both cases were due to human error. The security of our information systems was not compromised in either case.
In the first instance, on June 6, 2014, an employee of Rady Children’s inadvertently emailed a spreadsheet containing identifiable patient information to four job applicants. The employee, who had approved access to the information, intended to send a training file to evaluate the applicants, but attached elements of actual patient information by mistake.
The file contained information on 14,121 patients admitted to Rady Children’s between July 1, 2012 and June 30, 2013. Information included patients’ names, dates of birth, primary diagnoses, admit/discharge dates, medical record numbers, and other information including insurance carrier and claim information. The email did not contain social security, insurance or credit card numbers, street addresses, or parent and guardian names.
Rady Children’s learned of this incident late in the day on June 10, 2014, and immediately contacted the four individuals who received the emails. Through our interviews with the individuals, we learned that one of them forwarded the email on to two other people. Of the six recipients, two were unable to open the file.
Our first priority has been to confirm that each of the recipients deleted the email and the attachment from their computer and/or external devices. Each recipient in this first case confirmed in writing they have removed the email and attachment. We have employed an independent IT security firm to verify that the files have been deleted from the recipients’ devices.
Rady Children’s established a communication center staffed by more than 150 managers, physicians and staff and, within three days, had reached all individuals with working contact information. Rady Children’s is also notifying affected families by mail. Notification letters were mailed on June 16.
Rady Children’s internal investigation included reviewing if any other area had utilized a “training file” for testing competency. We discovered one other instance of patient information being shared in error.
In this case, in August, November, and December 2012, an employee emailed a training exercise, containing limited patient information, to test three job candidates. An additional six job applicants came to the Rady Children’s campus to take the test on a Rady Children’s computer, but had no ability to save, store or send the data.
That file contained information on 6,307 patients, who were registered for inpatient or outpatient treatment between June 30, 2009 and June 30, 2010. Information included patients’ names, discharge dates, location they were seen, and account information such as the payor name and balance. The file did not include dates of birth, diagnoses, street addresses, or social security, insurance or credit card numbers. Notification letters will be mailed as soon as possible.
We are making every effort to contact the three recipients of the email to confirm that the email and file have been destroyed.
Rady Children’s is continuing our investigation and notifying the appropriate regulatory agencies. We have been providing families who request so with copies of all of their information that was released.
Rady Children’s is taking action to prevent this from happening again, including:
• Only commercially available and validated testing programs will be used to evaluate job applicants who will be tested onsite.
• We are increasing data security by further automating flagging of emails that may contain potential protected health or other sensitive information, and requiring an added level of approval before it can be sent.
• Rady Children’s is working with our email encryption provider to further strengthen our protection of sensitive data.
• Rady Children’s continually provides employees with education regarding privacy policies. We will be using these incidents as examples to better inform our leadership team and employees about the risks and the importance of the policies we have in place and train them in these new measures we are taking.
We extend our sincerest apologies to the affected families and to our community.
Media Contact: Ben Metcalf