Rady Children's Hospital spends lots of time and money protecting its patient information from outside hackers. But it was a mistake by an employee that recently exposed the information of more than 14,100 patients.
"Unfortunately when the file was emailed, attached to it was the original file, it was complete human error," explained Rady Children's Hospital acting President Donald Kearns.
The attachment was sent to potential job applicants for an internal evaluation. But instead of sending approved information, a collection of real patient data was released to six applicants.
The breach included names, dates of birth, primary diagnoses, medical records and insurance carrier claim information. But no social security or credit card numbers were included, nor were street addresses or parent and guardian names.
Over the weekend, the hospital created a communication center staffed by physicians, managers and other employees to call the 14,121 families included in the breach. The file contained information on patients admitted to Rady Children's between July 1, 2012 and June 30, 2013.
"Some families were upset," said Kearns. "But the vast majority understood that this is something that was not done purposely. This is something that was done on a human error."
Eva Velasquez with the Identity Theft Resource Center said internal breaches like this are a big problem.
"As much as companies are trying to stem the tide of these breaches," said Velasquez, "employee negligence is actually going up when we categorize breaches."
Velasquez says 7 percent of identity theft breaches were from internal negligence in 2012. That number climbed to 9.3 percent in 2013 and year-to-date in 2014, the number is 10.2 percent.
Rady Children's has notified county and state officials and will also need to report the breach to federal regulators. When hospital officials investigated the problem, they discovered a second breach of inpatient or outpatient treatment information between June 2009 and June 30, 2010. That breach included 6,307 patients.
Rady Children's hospital will be sending out letters to everyone included in the breach.