Hospital Fined $250,000 For Late Reporting of Data Breach

"Based on interviews and record review, the hospital failed to notify a privacy breach of patients' protected health information (PHI) to 532 patients within five days after the hospital confirmed the breach on 2/1/10. The hospital failed to send notifications to the patients until 2/19/10."

"The confidential data included names, date of birth, medical record numbers, diagnoses, procedures, insurance information and/or social security numbers."

Lucile Packard officials on Thursday posted a lengthy statement on the hospital's website saying it intends to appeal the $250,000 fine.

"The computer in question was used by an employee whose job required access to patient information," the hospital said.

"Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home.

"The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.

"As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.

"Theft charges have been filed against the former employee."