San Diego hospital breach investigation reveals second incident, both human error
Nearly 20,000 patients of Rady Children's Hospital (RCH) in San Diego are being notified that their personal information was erroneously included in emails sent to job applicants.
How many victims? 14,121 in one incident; 6,307 in another incident.
What type of personal information? For 14,121 individuals, the data included names, dates of birth, primary diagnoses, admit/discharge dates, medical record numbers, and insurance carrier and claim information. For 6,307 individuals, the data included names, discharge dates, locations they were seen, and account information such as payor names and balances.
What happened? In both incidents, an email containing the data was erroneously sent to job applicants.
What was the response? RCH conducted an internal investigation and hired an independent IT firm to verify the emails were deleted from the recipient's devices. RCH is making it so additional approvals must be obtained before sending sensitive data, and is also working to improve protection of sensitive data. RCH is notifying all impacted individuals.
Details: An employee erroneously emailed a spreadsheet containing data on 14,121 patients to four job applicants on June 6. The impacted patients were admitted to RCH between July 1, 2012, and June 30, 2013. RCH learned of the incident on June 10, and as part of the internal investigation learned that a file containing information on 6,307 patients had been emailed to three job candidates in August, November and December of 2012. The information related to patients registered for inpatient or outpatient treatments between June 30, 2009, and June 30, 2010.
Quote: “Both cases were due to human error,” according to a notification posted to the RCH website. “The security of our information systems was not compromised in either case.”
Source: rchsd.org, “Files Containing Patient Information Released in Error,” June, 2014.