California fines 7 hospitals for breaches of patient data

The California Dept. of Public Health has fined seven California hospitals a total of $792,500 under a 2009 state law against facilities that don't protect patient data sufficiently.

The law requires hospitals to protect the confidentiality of medical records and is separate from those under the federal Health Insurance Portability and Accountability Act regulations, which apply only to breaches affecting more than 500 patients. Under the California law, a hospital can be fined even if only one patient's records are breached.

Under the law, an administrative penalty of $25,000 per patient can be assessed against a facility for a breach and up to $17,500 for each subsequent breach of the same patient's data. The maximum fine per event is $250,000. Fines can be reduced for hospitals in rural areas, said Ralph Montano, spokesman for the CDPH. The fines were announced on Nov. 19.

That was the case for Biggs Gridley Memorial Hospital in Gridley, which was fined $5,000 for two employees accessing a patient's records on three occasions. Montano said the fine would have been $60,000, but a fine of that size "would have closed them down."

Other medical centers fined by the state:

• Pacific Hospital of Long Beach was fined $225,000 for an employee accessing and using the records of nine patients.
• Children's Hospital of Orange County was fined $25,000 after an employee accessed the records of another employee.
• Delano Regional Medical Center in Delano was fined $60,000 for the breach of one patient's record by an employee on three separate occasions.
• Kaweah Manor Convalescent Hospital, a nursing home in Visalia, was fined $125,000 after an employee accessed and used five patients' information.
• Kern Medical Center in Bakersfield received one fine for $60,000 for the disclosure of a patient's information by two employees on three occasions. The medical facility also was fined $250,000 for the loss of 596 patients' medical records.
• Oroville Hospital was fined $42,500 after a patient's information was accessed by an employee on two occasions.

None of the facilities had been fined previously for data breach incidents, and none was required to formally admit guilt as part of the penalty.

California's medical data protection law is considered to be among the most severe in the country. It was signed into law in 2008 by Gov. Arnold Schwarzenegger after the media reported several high-profile cases of snooping into celebrity files. One case involved the governor's wife, Maria Shriver.

The first fine issued under the law was for $250,000 against Kaiser Permanente Bellflower Medical Center in May 2009 for not taking adequate precautions to protect the privacy of Nadya Suleman, who gave birth to octuplets there in January of that year.