Hospital discloses privacy breach

Sonoma Valley Hospital announced today that it has notified a group of patients of a Health Insurance Portability and Accountability Act (HIPAA) privacy breach that involved the hospital inadvertently posting limited patient information on the hospital’s website.

The hospital reported that the information was removed upon discovery, patients were notified, and steps were taken to prevent a reoccurrence.

According to Richard Reid, hospital CFO and Compliance Officer, the breach occurred on February 14, 2013, and involved an employee accidentally uploading personal information for 1,350 surgery patients to the hospital website as part of a routine website update.

The error was not discovered until April 17, 2013, because the information was placed on a section of the website that was not directly accessible through the website, but only through a search engine. Upon discovery, it was immediately removed and the hospital began an investigation of the cause.

The breach involved patients in the hospital for surgery during the period July 1, 2011, to June 30, 2012. Patient information posted was limited to patient name, date of service, procedure, surgeon, hospital charges and name of insurance company. No other personal data such as social security number, birth date, driver’s license or address was included, Reid said.

“We have apologized to the patients involved for our error and assured them that we have taken action to understand the cause of the breach and strengthen policies and controls protecting patient information,” Reid said. “We take patient privacy very seriously at Sonoma Valley Hospital and we are deeply sorry for any discomfort that this may have caused our patients.”