San Diego hospital breach investigation reveals second incident, both human error

Share this article:

Nearly 20,000 patients of Rady Children's Hospital (RCH) in San Diego are being notified that their personal information was erroneously included in emails sent to job applicants.

How many victims? 14,121 in one incident; 6,307 in another incident. 

What type of personal information? For 14,121 individuals, the data included names, dates of birth, primary diagnoses, admit/discharge dates, medical record numbers, and insurance carrier and claim information. For 6,307 individuals, the data included names, discharge dates, locations they were seen, and account information such as payor names and balances.

What happened? In both incidents, an email containing the data was erroneously sent to job applicants.

What was the response? RCH conducted an internal investigation and hired an independent IT firm to verify the emails were deleted from the recipient's devices. RCH is making it so additional approvals must be obtained before sending sensitive data, and is also working to improve protection of sensitive data. RCH is notifying all impacted individuals.

Details: An employee erroneously emailed a spreadsheet containing data on 14,121 patients to four job applicants on June 6. The impacted patients were admitted to RCH between July 1, 2012, and June 30, 2013. RCH learned of the incident on June 10, and as part of the internal investigation learned that a file containing information on 6,307 patients had been emailed to three job candidates in August, November and December of 2012. The information related to patients registered for inpatient or outpatient treatments between June 30, 2009, and June 30, 2010.

Quote: “Both cases were due to human error,” according to a notification posted to the RCH website. “The security of our information systems was not compromised in either case.”

Source: rchsd.org, “Files Containing Patient Information Released in Error,” June, 2014.

Share this article:

Sign up to our newsletters

POLL

More in The Data Breach Blog

Laptop stolen from Self Regional Healthcare contained patient data

As least 500 patients of Self Regional Healthcare have been notified that their personal information was on a laptop stolen from a Self Regional facility.

Thousands had data on computers stolen from California medical office

Bay Area Pain Medical Associates notified about 2,780 patients that their data was on computers stolen from its California offices.

Subcontractor breach impacts 1,700 in Dominion Resources employee wellness plan

About 1,700 people in the Dominion Resources employee wellness program have been notified that their data was accessed in a breach.