SAN DIEGO — Hospital employees sent out detailed personal information about more than 14,000 patients to several job applicants by mistake this month, officials at Rady Children’s Hospital said Wednesday.
Officials said the security breach, which happened on June 6, prompted an internal review and the discovery of a second breach in 2012 in which less detailed information about more than 6,000 patients was mistakenly sent to job applicants. In both cases, the files were sent as training files to evaluate the skills of job applicants, Rady officials said.
According to Ben Metcalf, a hospital media relations representative, the file sent to four job applicants on June 6 was a spreadsheet containing information on 14,121 patients. It included patients’ names, dates of birth, primary diagnoses, admit/discharge dates, medical record numbers, and other information including insurance carrier and claim information. The file did not contain social security, insurance or credit card numbers, street addresses, or parent and guardian names.
Once the breach was discovered, hospital employees contacted all four of the job applicants. They learned that one of them forwarded the file to a two other people. The hospital then hired security specialists to verify that the files had been deleted from the recipients’ computers and digital devices.
The hospital notified everyone on the patient list they could by telephone and sent out letters explaining the breach to everyone on the list on June 16, Metcalf said.
The investigation revealed that a similar breach happened in August, November and December of 2012, when an employee mailed a file containing information on 6,307 patients to three job applicants as part of the evaluation process. That file had less information and did not include dates of birth, diagnoses, street addresses, or social security, insurance or credit card numbers. The hospital plans to notify the patients involved as soon as possible, Metcalf said.
Hospital officials apologized to the families of patients affected by the breaches and said they were taking steps to prevent similar breaches in the future, including:
- using commercial testing programs to evaluate job candidates only onsite,
- increasing email security to require additional approvals before sensitive information can be sent,
- using email encryption to protect sensitive data,
- and educating employees about privacy policies.