Hospital Fined $250,000 For Late Reporting of Data Breach

This story was updated on September 10th.

Lucile Salter Packard Children's Hospital at Stanford University has been fined $250,000 by California health officials for failing to report within five days a breach of 532 patient medical records in connection with the apparent theft of a hospital computer by an employee.

Under state law, that amount is the maximum penalty allowed for failing to report such an incident, according to spokesman for the California Department of Public Health, Ralph Montano. The penalty is assessed at the rate of $100 for every day of delayed reporting after the first five days for each patient medical record that was breached, he said.

These failure-to-notify penalties are unique in the country, according to officials for the National Academy for State Health Policy. So far, state health officials have issued more than $1.8 million in fines against 143 hospitals that failed to report an adverse event or breach of a medical record, a wrong-site surgery or a foreign object left inside a surgical patient.

State officials on Thursday released a document, called a "2567," summarizing the results of the state's investigation of the Lucile Packard incident. It said an unauthorized hospital employee and her husband, another employee, were observed Jan. 5 in the hospital's Heart Center removing a computer that contained protected health information on 532 patients.