By Christine Kern, contributing writer
Former hospital employee takes admission logs out of California hospital, causing a breach of 6,000 records.
Tri-City Medical Center in Oceanside, CA, has acknowledged a breach of patient data after a stack of hospital admission logs was taken out of the hospital and put in a former employee's car, according to a report from San Diego Union-Tribune.
The allegation states the admission logs were left on a records cart used by the former employee to transport personal belongings from the hospital. The logs covered patients who came to the ER and were admitted to the hospital or transferred to another facility between December 1, 2013 and May 13, 2014. Louis Montulli, a member of Tri-City's Governance Committee, said in the report the employee accidently removed the patient records and notified him of the incident shortly after they had been put in the employee's vehicle. Montulli said in the report he advised the employee to give the records to the California Department of Public Health, which the employee did.
Montulli and the former employee initially estimated that the records contained the names, birth dates, and diagnoses of nearly 35,000 patients. No financial data or Social Security numbers were in the documents, according to the report.
According to Montulli, the logs are usually stored in a locked records room at the hospital, but had been loaded on a cart for viewing by an inspector with The Joint Commission, an accreditation agency that was on site for an inspection. He said Tri-City is conducting an investigation to determine why the records weren’t returned to the hospital’s records room after they were viewed. “We have security videos that are being reviewed. We will make those available to the authorities,” Tri-City chief executive Tim Moran said.
Moran said the records should have been immediately returned to the hospital. He cited confidentiality agreements, signed by all employees and by hospital board committee members, which require inadvertently-removed documents to be immediately returned upon discovery even if they are found by an employee who has been fired and no longer technically works for Tri-City. “I expect employees to respect their obligations,” Moran said.
Montulli said that he instructed the former employee to turn the records over to regulators so that the breach would not be covered up. “The whole incident would have been buried. It would have gone uninvestigated,” Montulli said.
The hospital is now notifying about 6,500 patients of a breach of protected information that includes names, dates of birth, service dates, admitting physicians, medical record numbers, and diagnosis and admit dates and times.
“While the person who removed the logs was not authorized to do so, we are not currently aware of any use or further disclosure of the private information on the logs,” according to a notice sent to patients. “However, you may wish to have a fraud alert placed on your credit files.”