WestCoast Children’s Clinic is mailing letters to its patients parents of a patient after an e-mail error on November 20 resulted in referral documents containing the patient’s names, dates of birth, Social Security numbers, addresses, and current health concerns being sent to an unauthorized recipient – a county social worker with the Alameda County Department of Social Services, Child and Family Services Unit.
Well, if you’re going to have a privacy breach of this magnitude, at least the PHI were sent to someone who understands the importance of privacy and confidentiality. The recipient deleted the errant email from his/her e-mail account, although there’s no report that it was securely deleted as opposed to just deleted.
The clinic first discovered the breach on November 27, and by November 28, had notified the California Attorney General’s Office with a sample of their notification letter.
Update of April 24, 2013: In the process of trying to get details about a subsequent breach Westcoast filed with the California Attorney General’s Office, I learned that Westcoast had misunderstood California’s statute and had notified the state even though this breach affected only one individual. This entry has been edited accordingly and serves as wake-up call that perhaps we shouldn’t assume that all breach notices on the California Attorney General’s breach site really involve more than 500 individuals.