For Release: September 09, 2010
PALO ALTO, Calif. -- Lucile Packard Children’s Hospital at Stanford is appealing a California Department of Public Health (CDPH) penalty.
The CDPH on April 23, 2010, after the self-reporting of a security incident by Packard Children’s, alerted the hospital that a fine of $250,000 was being levied as a result of what CDPH believes was a late reporting of the incident. This isolated incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients.
The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.
As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.
Theft charges have been filed against the former employee.
Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer. “We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.”
"This theft was very unfortunate," said Susan Flanagan, RN, chief operating officer. "We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children's privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.”
CDPH fined the hospital $250,000 for allegedly reporting the incident 11 days late. “We believe our communication to CDPH was appropriate and we are appealing the late fee,” said Flanagan.
“Lucile Packard Children’s Hospital is proud to have some of the industry’s strongest policies and controls in place for patient privacy protection,” added Kopetsky. “Even though the investigation revealed that no patient information was compromised and no patients were harmed, we are using this incident to further tighten our security and provide additional education to our staff.”
CDPH has yet to set a date for a ruling on the hospital’s appeal.
About Lucile Packard Children's Hospital
Ranked as one of the nation's best pediatric hospitals by U.S.News & World Report, Lucile Packard Children's Hospital at Stanford is a 311-bed hospital devoted to the care of children and expectant mothers. Providing pediatric and obstetric medical and surgical services and associated with the Stanford University School of Medicine, Packard Children's offers patients locally, regionally and nationally the full range of health care programs and services, from preventive and routine care to the diagnosis and treatment of serious illness and injury. For more information, visit www.lpch.org.
Media Contact
Robert Dicks
[email protected]
(650) 497-8364