The personal health information of more than 4,000 patients from Queen of the Valley Medical Center was accessible through the Internet for nearly a year, according to a news release.
Queen of the Valley notified 4,263 patients of the data breach earlier this week. Notices also were sent to patients of four other St. Joseph Health System hospitals: Santa Rosa Memorial Hospital; Petaluma Valley Hospital; St. Jude Medical Center (Fullerton) and Mission Hospital (Mission Viejo, Laguna Beach).
The data, officials said, may have included patient names, lab results, diagnoses lists, medication allergies as well as other personal health information. Because these were not full medical records, the data did not include Social Security numbers, addresses or financial information, hospital officials said. The records were for those receiving care from February through August 2011 and were searchable on the Internet from early 2011 to February 2012. Most of the individuals received care as inpatients.
Queen of the Valley became aware of the data breach Feb. 1 when the hospital was contacted by a patient’s attorney, said Robert Diehl, the Queen’s vice president of operations. No other patients have come forward, Diehl said.
After they were notified of the breach, the hospital’s data department worked to verify the patient’s allegations. It took the department a week to access patient information online, meaning the information was not readily identifiable on the Internet, Diehl said.
In most cases, a complex combination of terms or extensive search were required to access the records, according to St. Joseph Health System officials.
“There’s a low likelihood of wide viewership here,” Diehl said.
The information had been contained in files intended to be maintained securely and used only by the hospitals, according to a statement by St. Joseph Health System. However, security settings were incorrect and allowed for the potential of data disclosure.
Since discovering this situation, files have been secured within the hospital’s system, and there’s no possibility of any new information being leaked, said Vanessa DeGier, the Queen’s director of communications and marketing.
The hospital’s teams are working to eliminate residual or archived information from the Internet. Major search engines — including Google, Bing and Ask.com — have also been notified and are working to remove any archived information, Diehl said.
The California Department of Public Health visited Queen of the Valley earlier this week. It’s not known if the hospital will be penalized for the data breach, but Diehl said it is possible.
“Protecting privacy is a priority of our organization and we deeply regret any concerns or inconveniences this situation will cause those we serve,” said Clyde Wesp, MD, chief medical officer and chief medical information officer of the hospital’s parent organization, St. Joseph Health System. “Patients should know we will continue to work to ensure this situation does not occur again.”
Get local news delivered to your inbox!
Subscribe to our Daily Headlines newsletter.