Sonoma Valley Hospital warns patients of privacy breach

Sonoma Valley Hospital mistakenly published private medical information for 1,350 patients on its website earlier this year, hospital officials said.

The security breach, which occurred Feb. 14 and was discovered by state health officials on April 17, included the patient's name, surgeon, date of procedure, hospital charges and the name of the patient's insurance company.

The information was removed from the hospital's website and the site was "scrubbed" to ensure that no other private information was publicly accessible, said Richard Reid, the hospital's chief financial officer and compliance officer.

"We take patient privacy and the security of their information very seriously," Reid said. "We have reviewed all of our procedures and corrected the issue that occurred with that list."

The file that was uploaded to the website contained information about patients who had surgery at the hospital from July 1, 2011 to June 30, 2012.

"Once we were notified of it we immediately took it down from the website," Reid said. "We removed that particular file and scrubbed the website to make sure there wasn't anything else and there was not."

Patients were notified by letter of the incident several weeks ago, Reid said. He said 30 to 40 patients called with questions, most of them requesting more clarification.

The breach violates federal rules protecting patient privacy, which are outlined in the Health Insurance Portability and Accountability Act. Reid said it resulted from "human error" by an employee who failed to follow hospital procedures. The employee worked on both the website and in the surgery department, but information related to those two tasks were supposed to be kept separate.

Measures have been taken to ensure the mistake is not repeated, Reid said.

"Any future work that's done on our website will be done on a stand-alone computer that is not connected to any patient-related information," he said.

In a similar incident last year, private health information for 6,235 patients at Santa Rosa Memorial Hospital and 4,263 patients at Queen of the Valley Hospital in Napa was mistakenly made accessible on the Internet for nearly a year. Both hospitals are operated by St. Joseph Health.

In some cases, the information would have been accessible through a simple Google search of the patient's name. The breach, which affected 31,800 St. Joseph patients throughout the state, included patient name, body mass index, blood pressure, lab results, smoking status, list of diagnoses, medication allergies, advance directive status and demographic information such as spoken language, ethnicity, race, gender and birth date.

As in the more recent case at Sonoma, the breach did not include Social Security numbers or financial data such as credit card numbers.