DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

San Mateo Medical Center notifies patients after records erroneously recycled instead of shredded

Posted on December 1, 2018 by Dissent

Updated Feb. 22, 2019.  DataBreaches.net was notified that HHS had finally removed the disputed listing from their portal.  But when I checked, I found that it had not really been removed.  OCR had closed its case and moved the entry to its archived  list, with the following note:

On November 13, 2018, OCR received a breach notification report from San Mateo Medical Center (SMMC). SMMC reported that the breach affected approximately 5,000 individuals. After an internal investigation, SMMC determined that the report was filed in error, the incident did not amount to a breach and, the incident should not have been reported since no breach occurred. Based on this information, OCR closed the case.
Under the circumstances, it’s not clear why HHS didn’t just delete the entry entirely.
Previous Update: Note: Following publication of this story, DataBreaches.net was contacted by an SMMC employee who was very upset at what he claimed was inaccurate reporting by this site. He suggested that I do a “sanity-check” on reporting and was upset that I had reported that 5,000 patients were notified. I pointed out to him that the 5,000 figure came from HHS’s public breach tool. He backed off a bit and said he would investigate as that had not been reported to HHS. I never heard back from him or anyone else. As of Dec. 7, the 5,000 figure is still on HHS’s breach tool. So is the correct number 500 or  5000 or something else? At this point, DataBreaches.net is really not sure.

The San Mateo Medical Center has notified 5,000 patients at its Daly City Medical Center location of a breach.

A November 30 notice on its web site explains that SMMC  became aware on November 7, 2018 that on November 6, a

staff person at the Daly City Clinic left a box containing patient information under her desk overnight. The temporary housekeeping staff mistook the box for recycling and put the documents in the recycling bin and not the confidential bin for shredding.

SMMC was unable to determine whose records were in the bin, and so wound up notifying 5,000 patients.

In response to the incident, SMMC reinforced their policies about records to be shredded and eliminated the use of recycling bins altogether:

We regret that this incident occurred, and are reinforcing our policy that medical staff should place all documents with patient information in the confidential bin for shredding and not leave documents with patient information out overnight. A clinic site visit was conducted on November 8, 2018 and November 16, 2018. The clinic manager for Daly City instructed that recycling bins no longer be used and confidential information be immediately placed in a confidential shred bin.

Read their complete notification on their web site.

Category: Health DataPaperU.S.

Post navigation

← Judge Orders Software Exec to Turn Over Laptop After He Leaked Data on Facebook
IA: Data breach found in city of Ames’ parking ticket payment system. It’s Click2Gov, again. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.