The following press release from California Pacific Medical Center, a Sutter Health facility, was submitted to the California Attorney General’s web site today. A copy of the notice, dated January 23, 2015, is also posted on CPMC’s web site:
Audit finds employee access to patient files without apparent business or treatment purpose
California Pacific Medical Center (CPMC) recently notified 844 patients of its discovery that a pharmacist employee may have accessed their records without a business or treatment purpose.
CPMC first learned of the incident through a proactive audit of its electronic medical record system on October 10, 2014. The initial audit resulted in identification and notification of 14 individuals on October 21, 2014. Following its policy, CPMC terminated its relationship with the employee and broadened the investigation
The expanded investigation identified a total of 844 patients whose records the employee may have accessed without an apparent business or treatment purpose. It is unclear whether all of these records were accessed inappropriately but, out of an abundance of caution, CPMC notified all of these patients.
CPMC has determined that between October 2013 and October 2014, the employee accessed the following types of information without an apparent valid purpose: patient demographics, last four digits of social security number, clinical information including diagnosis and clinical notes, and prescription information. The type of information varied for each patient. While the employee potentially viewed the last four digits of some social security numbers, the employee did not have access to full Social Security numbers, driver’s license numbers, California identification numbers, credit card numbers or financial account information. CPMC has no evidence of a malicious intent or any unauthorized sharing of patient information by the employee. CPMC believes that the employee accessed the information out of curiosity.
No action is required by the patients in response to CMPC’s notice.
CPMC takes patient privacy very seriously. CPMC has also reiterated to all staff that policy allows them to access patient information only when necessary to perform job duties and that violating this policy may result in loss of employment.
For questions, individuals may contact the Chief Privacy Officer for Sutter Health at 855?771? 4220 Monday – Friday from 8am to 5pm.
CPMC takes patient privacy very seriously, yet as a large enterprise we are not able to deploy off the shelf software to detect inappropriate access patterns.
Where can we find more information on what caused the employee to view these records? What were they looking for? How did CPMC become aware of this situation to initiate and investigation.
They said their audit uncovered a problem that they then investigated.
They may never tell us more about the employee’s motives because it sounds like they just terminated the employee and didn’t necessarily report this to police.