Human error caused a breach of protected health information at Rady Children’s Hospital-San Diego and the resulting investigation discovered a similar earlier breach.

Now, the hospital is tackling the two breach incidents simultaneously and offering nearly 20,500 affected families a year of identity protection services from AllClear.

On June 6, 2014, a Rady employee inadvertently e-mailed a spreadsheet with identifiable patient information to four job candidates, according to a statement from the hospital. “The employee, who had approved access to the information, intended to send a training file to evaluate the applicants, but attached elements of actual patient information by mistake.”

The file included names, birth dates, primary diagnoses, admit/discharge dates, medical record numbers and insurance carrier and claim information on 14,121 patients. It did not contain Social Security, insurance and credit/debit card numbers, street addresses, or patient and guardian names. Rady learned of the breach on June 10, interviewed the four applicants and found that two had forwarded the e-mail to another person. Of the six recipients, two were unable to open the file. Each recipient has confirmed in writing that they removed the e-mail and attachment from their computing devices and the hospital contracted with a security firm to verify deletion of the information.

The hospital quickly put together a communications center staffed with 150 managers, physicians and staff, contacted all affected families within three days, and then mailed notification letters on June 16.

The internal investigation of the initial breach included a review of other areas of the hospital that used a “training file” for testing competency, according to the hospital. The review discovered that in August, November and December 2012, an employee e-mailed a training exercise with patient information to three job candidates. Another six applicants came to the campus to take the test on Rady’s computer, but had no ability to save, store or transmit data. This filed contained information on 6,307 patients, but also had no Social Security or financial data. “We are making every effort to contact the three recipients of the email to confirm that the email and file have been destroyed,” according to the hospital statement.

Based on the protected information breached, Rady Children’s Hospital was not required to personally notify families in advance of mailing breach notification letters or offer the identity protection services, a spokesperson tells Health Data Management. “But the hospital believes it is important to do whatever we could to restore our families’ trust and confidence.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access