Home | News Alerts | Calif. Hospitals Dinged $675,000 For Breaches

Calif. Hospitals Dinged $675,000 For Breaches

Fines allowed under 2008 California state law

June 16, 2010

The state of California has fined five California hospitals a total of $675,000 for data breaches that exposed patient information — a fine that signals how state and federal governments are trying to crack down on organizations, especially health organizations, with shoddy data security practices.

The California Department of Public Health last week invoked the fines allowed in a law California passed in 2008, which calls for an administrative penalty of $25,000 for the first breach of a patient's medical information and a penalty of up to $17,500 for each subsequent breach of patient data.

Community Hospital of San Bernardino received the largest fines — two separate fines totally $325,000 for failing to prevent the unauthorized access of 207 patients' medical records in two separate incidents.

In addition to paying the fines, the five hospitals also must submit to the California Department of Public Health “a plan of correction” that will prevent future data breach incidents. The plan is due within 10 working days of the Department of Public Health’s notification.

"Medical privacy is a fundamental right and a critical component of quality medical care in California," CDPH Director Dr. Mark Horton said in a written statement. "We are very concerned with violations of patient confidentiality and their potential harm to the residents of California."

The other hospitals fined were: Enloe Medical Center, in Chico, $130,000 fine; Rideout Memorial Hospital, Marysville, $100,000 fine; Ronald Reagan UCLA Medical Center, Los Angeles, $95,000 fine; and San Joaquin Community Hospital, Bakersfield, $25,000 fine.

All five hospitals can appeal the fines by requesting a hearing within 10 days.

Patient data breaches from hospitals and other health organizations are a major and recurring problem.

The federal stimulus act passed last year required health care organizations to provide public notice of significant data breaches of patient records — those involving more than 500 people.

The U.S. Department of Health and Human Services posts details of those larger breaches on its Web site. From the beginning of its postings last September through May 12, there have been 99 medical data breaches that involved more than 500 people.