St. Joseph Health mistakenly divulged the private information of 11,800 home health patients — including 1,762 in Sonoma and Napa counties — to an investment firm working on a business proposal for the health system.
Neither financial information nor patient Social Security information was compromised, St. Joseph Health said Friday.
The patients, some of whom are members of the St. Joseph Home Care Network, were notified in February that a St. Joseph Health employee accidentally sent a Microsoft Excel file to Cain Brothers, an investment banking firm that specializes in the health care industry.
The employee did not delete the file tab that included identifiable patient information, and the file was not encrypted to render it unusable or unreadable. The data included information such as patient name, patient codes, referral source, referral type, admit date, admission status description, admission disposition description and the medical unit where the patient was treated.
"We do apologize for any inconvenience that it's caused people," said Susan Solomon, a spokeswoman for St. Joseph Health. "We take these things seriously, absolutely. We look at our processes to help ensure that they don't happen again."
St. Joseph Health, whose Sonoma County operations also include Santa Rosa Memorial and Petaluma Valley hospitals, notified patients about the error in a Feb. 25 letter.
The letter states the mistake was discovered at 7:47 p.m. on Feb. 18, a little less than three hours after the data was sent to Cain Brothers.
"We discovered the issue on the same evening the email was sent and immediately contacted the recipient of the file requesting that it be deleted and not used or disclosed," St. Joseph regional compliance director Cambria Haydon wrote in the letter.
St. Joseph told patients it received "verbal and electronic confirmation" that the file was deleted and that the information was neither used nor disclosed.
St. Joseph Home Care Network provides various health care services, including wound care, palliative care and pain management, to adult patients after they get out of the hospital.
In 2012, St. Joseph notified 6,235 Santa Rosa Memorial Hospital patients that some of their private health information was mistakenly made accessible on the Internet for a year.
Solomon said St. Joseph has many policies in place to ensure proper transfer of data. Also the disclosure was not caused by an employee of the home health department, she said.
Solomon said that all personnel involved in the breach are receiving privacy compliance training.
You can reach Staff Writer Martin Espinoza at 521-5213 or firstname.lastname@example.org.