Hospital appeals $250K data breach penalty

Lucile Packard Children's Hospital at Stanford will appeal a California Department of Public Health fine of $250,000 for alleged late reporting of a data security breach, according to a statement released by the Palo Alto-based hospital on Thursday.

CDPH fined the hospital for allegedly reporting an incident 11 days late. During the isolated incident, which Packard Children's self-reported to CDPH in February, an employee apparently stole a password-protected desktop computer containing information on more than 500 patients and took it home in January.

After the hospital and law enforcement found that the computer could not be recovered, it reported the incident to CDPH, federal authorities and families of patients that might have been affected. The hospital also offered families identity theft protection services.
The former employee allegedly behind the incident now faces theft charges.

Such failure-to-notify penalties are unique in the country, HealthLeaders Media reports. So far, state health officials have issued more than $1.8 million in fines against 143 hospitals that failed to report an adverse event or breach of a medical record, a wrong-site surgery or a retained foreign object.
 
Hospital staff have been monitoring computer activity to see if the missing computer has been online anywhere, according to Ed Kopetsky, Packard Children's CIO. So far, nothing has come up.
 
To learn more:
- read Lucile Packard Children's Hospital at Stanford's press release
- see the HealthLeaders Media article