$40,000 Privacy Breach Penalty for Adventist Health Physicians Network
Simi Valley, California based Adventist Health Physicians Network has been directed to hand over $40,000 in civil monetary fines to the Ventura County District Attorney in relation to a patient privacy case that impacted more than 3,797 patients.
This penalty is part of a civil privacy settlement to address the privacy breach was allowed to take place during 2018. The breach in question occurred when an impermissible sharing of physical documents including private and confidential medical data took place. The Simi Valley-based clinic had contracted a storage provider in Simi Valley to manage the holding of physical patient records. However, when they failed to provided payments to the storage facility provided, the hospital was denied access to the storage unit and the contents were made available for sale at a public auction during October 2018.
The person at the auction who purchased the contents of the storage unit found boxes holding lots of paperwork in the unit. These boxes, it was revealed, were holding sensitive medical information related to the patients of Adventist Health. The hospital was made aware of the situation and swiftly arranged that the files be were promptly collected and made safe.
Following this course of events Adventist Health carried out an investigation into the breach and was happy that no information in the storage unit had been made public or shared anywhere else. In order to stop incidents like this from happening going forward, Adventist Health reviewed and made a number of changes to its policies and processes to see to it that physical patient records were correctly secured and were disposed of securely when the paperwork was no longer necessary.
The breach was reviewed by the Consumer and Environmental Protection Unit of the Ventura County District Attorney’s Office, which found that Adventist Health had breached California Unfair Competition Law as the healthcare supplier did not fulfil its responsibility to safeguard patient privacy, had not reasonably managed and safeguarded medical data, and had failed to correctly dispose of confidential data.