The confidential health records of approximately 20,000 patients treated at two Orange County hospitals were potentially available to find through online search engines, a St. Joseph Health System official said Wednesday.
The information belonged to patients of St. Jude Medical Center in Fullerton and Mission Hospital locations in the cities of Laguna Beach and Mission Viejo. The medical information of 31,800 patients across six separate hospitals in California was was also available online.
“We regret the situation, and we want to express our apologies that this did happen, and we are working very hard to make sure that this does not happen again,” said Susan Solomon, vice president of marketing and communications at the hospital. “We know the data is secure at this point.”
St. Jude became aware that the information was leaked when a patient’s attorney contacted officials at the hospital.
“The data did not include social security numbers, addresses or financial data … granted we know this information is absolutely of concern (to) people,” Solomon said.
The information may have included “patient name, body mass index (BMI), blood pressure, lab results; smoking status, diagnoses lists, medication allergies, advance directive status and demographic information (spoken language, ethnicity, race, gender and birth date),” according to a press release from St. Jude Medical Center.
Although apparently one patient was able to find the information online, the data was not easy to locate, Solomon said.
“Quite frankly, that information was difficult to find … in general it would have been a pretty complex search combination of terms,” she said.
The information has been contained and is now being stored in a secure area of the hospital’s website.
In response to the situation, the hospital is reaching out to patients and providing free identity theft protection services, Solomon said.
“Protecting privacy is a priority of our organization and we deeply regret any concerns or inconveniences this situation will cause those we serve,” said Clyde Wesp, M.D., chief medical officer and chief medical information officer of the hospital’s parent organization, St. Joseph Health System, in a press release. “Patients should know we will continue to work to ensure this situation does not occur again.”
Letters informing patients of the potential security issue were sent to three other affected hospitals in Northern California; Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital and Petaluma Valley Hospital, according to the press release.
Victor Rodriguez, a senior nursing major at Cal State Fullerton, believes privacy is an important issue when working in the medical field, and CSUF nursing professors are always saying “HIPAA, HIPAA, HIPAA.”
The Health Information Portability and Accountability Act of 1996 sets national standards that protects the privacy of individually identifiable health information.
“The HIPAA laws are actually the Health Insurance Portability (and Accountability) Act, and it was established by health care companies to actually send electronic information securely from one hospital to another,” said Rodriguez.
The U.S. Department of Health & Human Services website states: “The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.”
Rodriguez said there is a lot of precaution by hospitals in making sure a patient’s medical information is kept safe.
“There is a whole IT (information technology) department dedicated to this,” he said.
When medical staff access the information of a patient, that information is being sent to an information department to monitor who is looking at patient information; whether it be a doctor, nurse or any other Allied Health professional, Rodriguez said.
In its statement, the St. Joseph Health System said: “Patients who believe their personal information is illegally used are advised to contact their local police department and file a complaint with the Federal Trade Commission (at) ftc.gov/idtheft or at 1-877-ID-THEFT.”