San Diego hospital breach investigation reveals second incident, both human error

Share this article:

Nearly 20,000 patients of Rady Children's Hospital (RCH) in San Diego are being notified that their personal information was erroneously included in emails sent to job applicants.

How many victims? 14,121 in one incident; 6,307 in another incident. 

What type of personal information? For 14,121 individuals, the data included names, dates of birth, primary diagnoses, admit/discharge dates, medical record numbers, and insurance carrier and claim information. For 6,307 individuals, the data included names, discharge dates, locations they were seen, and account information such as payor names and balances.

What happened? In both incidents, an email containing the data was erroneously sent to job applicants.

What was the response? RCH conducted an internal investigation and hired an independent IT firm to verify the emails were deleted from the recipient's devices. RCH is making it so additional approvals must be obtained before sending sensitive data, and is also working to improve protection of sensitive data. RCH is notifying all impacted individuals.

Details: An employee erroneously emailed a spreadsheet containing data on 14,121 patients to four job applicants on June 6. The impacted patients were admitted to RCH between July 1, 2012, and June 30, 2013. RCH learned of the incident on June 10, and as part of the internal investigation learned that a file containing information on 6,307 patients had been emailed to three job candidates in August, November and December of 2012. The information related to patients registered for inpatient or outpatient treatments between June 30, 2009, and June 30, 2010.

Quote: “Both cases were due to human error,” according to a notification posted to the RCH website. “The security of our information systems was not compromised in either case.”

Source:, “Files Containing Patient Information Released in Error,” June, 2014.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters



More in The Data Breach Blog

Two laptops containing patient data stolen from American Family Care

The two laptops stolen from American Family Care were password protected, yet unencrypted, and may have contained Social Security numbers.

Viator investigates payment card breach, notifies 1.44 million customers

More than 1.4 million Viator customers are being notified that their personal data, including payment card information, may have been compromised.

Florida medical center hit with breach for third time in two years

Aventura Hospital and Medical Center has reported a data breach for the third time in two years.