Westcoast Children’s Clinic notifies parents after sensitive info faxed to wrong number

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.phiprivacy.net/?p=12434

Westcoast Children’s Clinic in Oakland recently notified the parents
of a patient after a psychological assessment report containing the
patient’s name, date of birth, current placement history,
developmental and psychological treatment history, limited family
history, educational history,  current psychological concerns, testing
data, results  and interpretation, and treatment recommendations was
faxed to an unintended recipient.  The error occurred because one
digit of the dialed fax number was off by 1.

The clinic learned of the April 16 incident on April 19, when the
unintended recipient contacted them. According to the clinic, the
recipient shredded the misdirected documents. A notification letter
was sent to the parents on April 22.

A review of the incident indicated that the employee had not followed
established protocols that would have prevented the error.

The employee will receive disciplinary sanctions consistent with the
level of privacy breach and will be retrained in privacy practices.
All of our employees will be contacted to remind them of the
priorities in protecting health information.

Even if the unintended recipient shredded the documents, the
information would presumably reside in the memory system of the
recipient’s fax machine.  I contacted Westcoast Children’s Clinic to
inquire about that concern and was informed by Eric Kelly, their IT
Director, that the IT person at the office where the fax was
misdirected had indicated they would clear the memory on the machine
and that Westcoast would be following up to confirm that this was
done.

Of note, because California law only requires submissions to the
Attorney General’s Office for breaches affecting more than 500
individuals, I had initially assumed that this breach affected more
than 500 individuals. It was only in following up on the fax memory
issue that I learned that this was a single-individual breach, as was
their past report to the state. The previous breach report has been
corrected to indicate that it was an N=1 breach.   So I learned I
cannot assume that every breach reported on California’s site really
is an N>500 breach.  This case has also reinforced the point that
entities should obtain legal advice about their reporting obligations,
as needlessly exposing breaches has the potential to inflict avoidable
reputation harm and shake the confidence of patients or clients.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.