Hospital Appeals $250,000 Breach Fine

California Says Report on Incident Was Tardy
Hospital Appeals $250,000 Breach Fine
A California hospital is appealing a $250,000 fine imposed for reporting an information breach later than required under a tough state law.

Lucile Packard Children's Hospital at Stanford in Palo Alto, Calif., says the Jan. 11 breach stemmed from an employee taking home an unencrypted hospital desktop computer that contained protected health information on 532 patients.

In addition to the $250,000 fine tied to the reporting of the Jan. 11 incident, the state this year has assessed the hospital with $1,500 fines related to two other tardy breach reporting incidents.

Under state law SB 541, breaches must be reported within five days. Organizations can be fined $100 per day per patient affected for reporting breaches late, up to a maximum of $250,000 for each incident, says a spokesman for the California Department of Public Health.

The Investigation

In the aftermath of the Jan. 11 incident, the hospital worked with law enforcement officials in an attempt to recover the computer, but determined it could not be recovered, according to a hospital statement. Theft charges have been filed against the now-former employee. So far, there's no evidence that the information on the computer has been inappropriately used, the hospital reports.

The "statement of deficiencies" filed about the case by the public health department states that the hospital confirmed Feb. 1 that the computer contained protected health information, but it did not report the breach to the state or the families affected until Feb. 19.

Information on the computer, according to the state report, included patients' "names, dates of birth, medical records numbers, diagnoses, procedures, insurance information and/or Social Security numbers."

On March 9, the U.S. Department of Health and Human Services Office for Civil Rights posted information about the incident on its list of major breaches.

The hospital says it reported the incident to the state, as well as federal authorities and the parents/guardians of those patients potentially affected, as required under the HITECH Act breach notification rule, "as soon as the hospital and law enforcement determined the computer was not recoverable." The hospital's statement adds: "We believe our communication to CDPH was appropriate, and we are appealing the late fee."

While the California law requires that breaches must be reported within five days, the HITECH breach notification rule requires reporting within 60 days.

A hearing date on the appeal has not yet been set.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.