St. Joseph Health System has notified 6,235 Santa Rosa Memorial Hospital patients that some of their their private health information was mistakenly made accessible on the Internet for a year.
Overall, information on 31,800 California patients could be accessed online in January and February, including data for 4,263 patients of Queen of the Valley Hospital in Napa.
St. Joseph medical system, based in Orange in Southern California, sent notifications on Monday by mail. It also notified two patients at Petaluma Valley Hospital, which it also runs, as well as three of its hospitals in Southern California.
The information included patient name, body mass index, blood pressure, lab results, smoking status, list of diagnoses, medication allergies, advance directive status, and demographic information such as spoken language, ethnicity, race, gender, and birth date.
The data did not include Social Security numbers, patient addresses or financial data such as credit card numbers, officials said.
The data was contained in reports that were part of St. Joseph's assessment of the effectiveness of electronic health records, but were not actual health records, said Dr. Clyde Wesp, chief medical officer and chief medical information officer of St. Joseph Health System.
After the reports were generated, they were put on an internal network that "was assumed to be protected," he said. "This one obviously was not protected."
The information related mostly to inpatients who received care from February 2011 through August 2011. St. Joseph began filing the reports in the internal database around February 2011, said Katy Hillenmeyer, a spokeswoman for St. Joseph Health System Sonoma County.
The information in the database was "gradually built up, over time, with new reports being filed in the internal database each month," Hillenmeyer said, adding that the last reports were filed in August.
That information would have been accessible through the Internet during the 12 months from February 2011 to early February 2012, when the error was discovered.
Wesp said the information was not readily identifiable and would have required a "complex combination" of search terms.
Hillenmeyer said the error was discovered by a patient or someone connected to a patient of a St. Joseph Hospital in Southern California.
The majority of the records exposed to public search were at St. Jude Medical Center in Fullerton and Mission Hospitals in Mission Viejo and Laguna Beach.
Officials said that the information has been secured and that information specialists have contacted search giants such as Google to ensure that none of the data remains on their servers.
Wesp stressed that protecting patient privacy is a priority for the health system. He said that the reports contained no financial information or social security numbers, and that at no time were the contents of actual medical records accessible.
The toll free number for patients who have questions about the incident is (877) 430-5623.
UPDATED: Please read and follow our commenting policy: