For Release: September 09, 2010
PALO ALTO, Calif. — Lucile Packard Children’s Hospital at Stanford is appealing a California Department of Public Health (CDPH) penalty.
The CDPH on April 23, 2010, after the self-reporting of a security incident by Packard Children’s, alerted the hospital that a fine of $250,000 was being levied as a result of what CDPH believes was a late reporting of the incident. This isolated incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients.
The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.
Theft charges have been filed against the former employee.
Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer. “We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.”
“This theft was very unfortunate,” said Susan Flanagan, RN, chief operating officer. “We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children’s privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.”
CDPH fined the hospital $250,000 for allegedly reporting the incident 11 days late. “We believe our communication to CDPH was appropriate and we are appealing the late fee,” said Flanagan.
“Lucile Packard Children’s Hospital is proud to have some of the industry’s strongest policies and controls in place for patient privacy protection,” added Kopetsky. “Even though the investigation revealed that no patient information was compromised and no patients were harmed, we are using this incident to further tighten our security and provide additional education to our staff.”
CDPH has yet to set a date for a ruling on the hospital’s appeal.
Hat-tip, FierceHealthcare
Updated: Jaikumar Vijayan of Computerworld covers the appeal here. Earlier today, I made some comments to a hospital spokesperson who had responded to a previous blog entry on the fine and also attempted to contact the hospital by e-mail to get additional clarification on some points.