Hospital Appeals $250,000 Breach FineCalifornia Says Report on Incident Was Tardy
Lucile Packard Children's Hospital at Stanford in Palo Alto, Calif., says the Jan. 11 breach stemmed from an employee taking home an unencrypted hospital desktop computer that contained protected health information on 532 patients.
In addition to the $250,000 fine tied to the reporting of the Jan. 11 incident, the state this year has assessed the hospital with $1,500 fines related to two other tardy breach reporting incidents.
Under state law SB 541, breaches must be reported within five days. Organizations can be fined $100 per day per patient affected for reporting breaches late, up to a maximum of $250,000 for each incident, says a spokesman for the California Department of Public Health.
The InvestigationIn the aftermath of the Jan. 11 incident, the hospital worked with law enforcement officials in an attempt to recover the computer, but determined it could not be recovered, according to a hospital statement. Theft charges have been filed against the now-former employee. So far, there's no evidence that the information on the computer has been inappropriately used, the hospital reports.
The "statement of deficiencies" filed about the case by the public health department states that the hospital confirmed Feb. 1 that the computer contained protected health information, but it did not report the breach to the state or the families affected until Feb. 19.
Information on the computer, according to the state report, included patients' "names, dates of birth, medical records numbers, diagnoses, procedures, insurance information and/or Social Security numbers."
On March 9, the U.S. Department of Health and Human Services Office for Civil Rights posted information about the incident on its list of major breaches.
The hospital says it reported the incident to the state, as well as federal authorities and the parents/guardians of those patients potentially affected, as required under the HITECH Act breach notification rule, "as soon as the hospital and law enforcement determined the computer was not recoverable." The hospital's statement adds: "We believe our communication to CDPH was appropriate, and we are appealing the late fee."
While the California law requires that breaches must be reported within five days, the HITECH breach notification rule requires reporting within 60 days.
A hearing date on the appeal has not yet been set.