SONOMA -- Sonoma Valley Hospital has notified 1,350 patients that their information was inadvertently posted on its website, hospital officials confirmed.
The hospital, overseen by the Sonoma Valley Health Care District, said it removed the patient information immediately upon discovering the accidental disclosure, which occurred Feb. 14, and said steps were taken to prevent a re-occurrence.
Such a disclosure is in violation of the Health Insurance Portability and Accountability Act, the institution said. A 1981 California law allows for damages of $1,000 per patient whose private record was wrongfully disclosed.
According to the hospital, an employee accidentally uploaded personal information for 1,350 surgery patients -- including patient's names, procedure, surgeon, date of service, hospital charges and the name of insurance companies -- as a result of routine website maintenance. The breach included surgery patients seen in the hospital between July 1, 2011, and June 30, 2012.
The information posted did not include Social Security numbers, birthdates, driver's license information or personal addresses, according to Rick Reid, chief financial officer and compliance officer for 83-bed Sonoma Valley Hospital.
The breach was not discovered until April 17, because the information was posted on a section of the website not directly accessible by visitors. However, the information was searchable by automated services such as Google's, according to the hospital.
"We have apologized to the patients involved for our error and assured them that we have taken action to understand the cause of the breach and strengthen policies and controls protecting patient information," Mr. Reid said. "We take patient privacy very seriously at Sonoma Valley Hospital and we are deeply sorry for any discomfort that this may have caused our patients."
He said the hospital has take action to understand the cause of the breach and to strengthen policies and controls to protect patient information. Mr. Reid said the hospital has heard from about 40 patients since disclosing the breach last Friday.
Sonoma Valley Hospital is the second health care provider in Sonoma County to confront a data breach. St. Joseph Health-owned Santa Rosa Memorial Hospital and Queen of the Valley Medical Center in Napa reported a similar occurrence about a year ago. The health system eventually was hit with several class-action lawsuits, including one filed in Sonoma County seeking $1,000 per affected patient.