Inspector’s narrative
What the inspector wrote
Initial Comments
The following reflects the findings of the California Department of Public Health (CDPH) during an investigation of an entity reported incident or complaint.
ACTS Intake Number: CA00905258 Substantiated
The investigation was limited to the specific events reported and does not represent the findings of a full inspection of the facility.
Representing the California Department of Public Health:
Surveyor#: 47509
Health and Safety Code 1280.15 - Tag 170
This Statute is not met as evidenced by:
Based on correspondence, interviews, and record reviews the facility failed to prevent unlawful or unauthorized access to, and use or disclosure of patient (PT1) medical information (PMI) when an unauthorized person was sent an email by facility staff that provided access to PT1’s electronic medical record (EMR) without a business need to do so or written authorization from the patient.
Findings:
On June 17, 2024, the California Department of Public Health (CDPH) received a complaint. The incident occurred on June 12, 2024, and was detected by the Facility on June 12, 2024, when the complainant (COMP1) replied to several facility staff and a County Public Health Staff (CPHS1) via email stating that he had received access to a patient’s (PT1) EMR via a link sent by the facility. The facility notified PT1’s representative of the breach via a letter dated August 19, 2024. After being informed by Surveyor A on August 13, 2024, that CDPH had not yet received a notification of the breach from the facility, the Administrator (ADM2) notified CDPH of the breach via a phone call to a CDPH District Office Staff (DOS1) on August 20, 2024.
INVESTIGATION FINDINGS: On August 13, 2024, Surveyor A reviewed the complaint submitted by COMP1 and noted the following:
In an email sent on June 12, 2024, COMP1 copied the facility Administrator (ADM1), a facility Physician (PHYS1), the facility Medical Records Director (MRD1), CPHS1, and advised that the email he received from ADM1 contained attached medical records that he was unable to open, as well as a link to the wrong set of medical records belonging to PT1. COMP1 stated he had requested his mother’s (MOM1) medical records and had not received them. Included in COMP1’s reply was a screenshot of a corner of a page that contained PT1’s name, DOB, age, religion, address, employment status, part of her SSN, and admit date. The screenshot did not display the entire page nor include the name of the facility or any medical information. The email that COMP1 replied to was sent by ADM1, who forwarded an internal facility email dated June 11, 2024, from MRD1 to ADM1. In this internal email MRD1 attached a document and included a link titled, “HOSPITAL RECORDS” and advised ADM1 that the records for MOM1 were attached and viewable via the link. Contained within the email thread was a subsequent email dated June 17, 2024, from CPHS1 to DOS1, referring the case to the proper CDPH staff.
On August 13, 2024, Surveyor A spoke with the current Administrator (ADM2) to discuss the case ADM2 stated that she became the administrator on June 24, 2024, and was not made aware of the incident until today. Surveyor A stated that even though the breach was reported via a complaint, ADM2 would need to submit a breach notification to CDPH to meet the reporting requirements.
On August 20, 2024, Surveyor A received a phone call from ADM2 who stated she reviewed the emails in which the breach occurred but did not see a direct email from the facility to COMP1. Surveyor A advised that the email thread CDPH received appeared to show a forwarded email from ADM1 to COMP1, which contained an internal facility email that housed a link to PT1’s EMR. ADM2 stated she would continue reviewing emails to see if there was a direct email to COMP1.
On August 21, 2024, Surveyor A reviewed the complaint and clicked the link to PT1’s EMR within the document. The link was still active and led directly to viewable documents containing over 100 pages of PMI. Surveyor A reviewed the “HOSPITAL RECORDS” and noted the following:The first page of the file was a “Physician Face Sheet” from which COMP1 took a screenshot of. The full page contained PT1’s age, DOB, phone number, SSN, MRN, religion, address, phone number, emergency contacts, physician list, diagnosis, health and health insurance providers. The entire file contained records which displayed PT1’s medical history, dates of service, physician notes, lab results, procedures, vitals, treatment plans, symptoms, photographs of PT1’s body, immunization record, medications, prescriptions, and family history. Aside from the medical history, the documents related to treatment received by PT1 from May 31, 2024, to June 4, 2024, including transfer information from a hospital to the facility.
On August 21, 2024, Surveyor A contacted ADM2 and advised that the link contained in the complaint that CDPH received was still active and led directly to the EMR of PT1 which contained over 100 pages of PMI. ADM2 stated she would contact her IT people and have them remove access to PT1’s EMR from the link contained in the email that led to the complaint. ADM2 stated that she confirmed that the email from ADM1 to COMP1 was a forwarded email that contained the internal facility email from MRD1, resulting in COMP1 being able to access PT1’s records. She stated there were no other emails from the facility to COMP1 constituting a breach. ADM2 provided Surveyor A the phone number for COMP1.
Surveyor A received an email from DOS1 acknowledging that ADM2 contacted the CDPH District Office regarding the breach. Within the email thread was an email from ADM2 to DOS1 dated August 20, 2024, reporting the breach. Surveyor A made a phone call to DOS1 and confirmed that she spoke to ADM2 on August 20, 2024, regarding the breach.
On August 23, 2024, Surveyor A received a return phone call from COMP1. During the phone interview, COMP1 stated he had received PT1’s records after requesting records belonging to his mother. COMP1 confirmed access by reciting PMI belonging to PT1, including diagnosis. Access was also confirmed by a June 12, 2024, email from the facility to COMP1 acknowledging the error.
On September 6, 2024, Surveyor A reviewed documents from ADM2 and noted the following:
In a response letter dated September 4, 2024, ADM2 summarized the timeline of the breach incident and advised of actions taken to address the breach. ADM2 advised that a patient notification letter was mailed to PT1’s representative, and that she spoke to PT1 regarding the breach on August 20, 2024. She noted that COMP1 was contacted on August 21, 2024, and advised to delete any of PT1’s EMR in his possession via the link in the email sent on June 12, 2024. ADM2 advised that the facility’s IT staff were able to disable the link to PT1’s EMR that was enclosed in the email which resulted in the breach, and that facility staff received training policies and procedures for handling PMI and breach reporting. The response documents included the email ADM2 sent to DOS1 on August 20, 2024, notifying CDPH of the breach, as well as the unsecure email thread involving COMP1 which resulted in the complaint to CDPH.
A copy of the “Physician Face Sheet,” which COMP1 included a partial screenshot in his complaint, was included in the response documents.
In a letter dated August 19, 2024, ADM2 notified PT1’s representative (PTR1) of the breach incident that occurred on June 12, 2024, involving PT1’s EMR. The letter was sent to PT1 via certified mail on August 21, 2024.
ADM2 provided contact information for the parties involved in the breach incident. Within the list were hire and termination dates for ADM1 and MDR1. ADM1 was hired on February 5, 2024, and terminated from employment on June 20, 2024. MDR1 was hired on February 5, 2024, and terminated from employment on August 15, 2024.
ADM2 provided training documents for ADM1 showing that she received new employee orientation training, including a “HIPAA Privacy Quiz,” a signed acknowledgement dated July 11, 2023, stating that she received a copy of the employee handbook that contained facility policies and procedures, and an orientation checklist showing completion of two different HIPAA privacy rules trainings completed on July 13, 2023.
ADM2 provided the facility’s policies and procedures regarding handling PMI. Two documents titled “HIPAA Privacy Rules Training” and “Basic Dos and Don’ts to Remember” outlined the facility rules and best practices for handling PMI. A document titled “Notification of Breaches…” outlined the facility’s practices for identifying and handling a potential breach of PMI. A document titled “Management and Protection of [PMI]” outlined facility employees’ responsibilities when handling PMI during the course of their work.
On September 9, 2024, Surveyor A received a return phone call from PTR1 who advised that she did receive the notification letter from the facility letting her know about the breach. She stated that PT1 has been a resident at the facility for some time and has a limited awareness of her surroundings.
CONCLUSION:
Based on correspondence, interviews, and record reviews the facility failed to prevent unlawful or unauthorized access to, and use or disclosure of, patient (PT1) medical information (PMI) when an unauthorized person was sent an email by facility staff that provided access to PT1’s electronic medical record (EMR) without a business need or written authorization from the patient.
Health and Safety Code 1280.15(b)(1) – Tag 180 Late reporting to the Department.
This Statute is not met as evidenced by:
Based on correspondence, interviews, and record reviews the facility failed to report the unlawful or unauthorized access to, and use or disclosure of, patient (PT1) medical information, to the CDPH within 15 business days from date of breach detection by the facility on June 12, 2024. Facility notified the CDPH of the breach on August 20, 2024, which is 48 days late.
Findings:
On August 20, 2024, the facility Administrator (ADM2) reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident occurred on June 12, 2024, and was detected by the Facility on June 12, 2024. On September 6, 2024, Surveyor A reviewed written notification of the breach from facility to the CDPH. Review confirmed that facility notification was dated August 20, 2024, and that the breach was detected on June 12, 2024, which validates the notice being 48 days late.
Health and Safety Code 1280.15(b)(2) – Tag 190 Late reporting to the affected patient or the patient's representative.
This Statute is not met as evidenced by:
Based on correspondence, interviews, and record reviews the facility failed to report the unlawful or unauthorized access to, and use or disclosure of, patient (PT1) medical information, to the affected patient(s) [or patient’s representative] within 15 business days from date of the breach detection for each patient by the facility. Facility detected the breach of PT1’s medical information on June 12, 2024, and notified PT1’s representative (PTR1) on August 21, 2024, which is 49 days late.
Findings:
On August 20, 2024, the facility Administrator (ADM2) reported a potential breach of confidential medical information to the California Department of Public Health (CDPH). The incident occurred on June 12, 2024, and was detected by the Facility on June 12, 2024. On September 6, 2024, Surveyor A reviewed written notification(s) of the breach from the facility to PTR1. Review confirmed that the notification(s) to PTR1 was dated August 19, 2024, but mailed via certified mail on August 21, 2024. The breach was detected on June 12, 2024, which validates the notice being 49 days late.