Woman Suing San Diego Hospital Over Data Breach

A woman in San Diego is taking a children’s hospital to court over a data breach that saw details of her young daughter sent out to unauthorized individuals.


Photo: VILevi / Shutterstock

The woman, who is maintaining anonymity for herself and her daughter, is suing the Rady Children’s Hospital in San Diego, according to local news outlet ABC 10 News, over a data breach in June where the hospital inadvertently emailed patient spreadsheets to a number of job applicants.

There were two separate incidents, which totaled the number of affected patients to 20,000, the young girl in question was among them. She was the victim of a sexual assault says ABC 10 News and had been treated at the hospital two years ago. A report from SC Magazine tells us that the spreadsheet contained “primary diagnoses” of patients.

“This is not one or two records dropped in the parking lot. The people they gave this information to didn’t even work there. They were job applicants,” said David A. Miller, the attorney representing the woman.

The mother said her daughter had experienced a great deal of trauma. “It’s information that you never want anyone to know, ever,” she said.

Miller says the hospital has broken the law with this data breach and has violated the Medical Records Confidentiality Act.

Rady Children’s Hospital, the largest children’s hospital in California, says the information was leaked due to human error but much like the New Jersey hospital breach earlier this week, the information was not encrypted.

Other information contained in the spreadsheets included names, dates of birth, and discharge/admittance dates.

Rady conducted an investigation into the breach and insisted that the emails were deleted from the devices of the recipients, who were job applicants.

“Each recipient in this first case confirmed in writing they have removed the email and attachment,” said the hospital at the time. “We have employed an independent IT security firm to verify that the files have been deleted from the recipients’ devices.”

Rady says that it changing its recruitment policies for new applicants and increasing its data security, explaining that a new added level of approval will be required before emails are sent out.