Rady Children’s Hospital has apologized to the families of 20,000 patients whose private medical data was mistakenly emailed this month and in 2012, according to news reports.

Rady Children’s Hospital

On June 6, U-T San Diego reported, an employee of the Kearny Mesa hospital emailed a spreadsheet that “contained protected information about 14,121 patients to four applicants for data management jobs who subsequently forwarded the document on to two other people, according to a statement released after business hours Tuesday.”

Among the data released were names, dates of birth, primary diagnoses and medical record numbers. No Social Security, insurance or credit card numbers or street addresses were leaked, the U-T said.

“Rady officials said they contacted all six recipients and confirmed, with an independent information technology security firm, that the errant spreadsheet was deleted. Two of the recipients had been unable to open the file,” the U-T quoted the hospital as saying.

Citing a Rady’s statement, the U-T said a different employee in 2012 emailed a training exercise to three job candidates, and “six more viewed the private patient data [of 6,307 patients] when they came to the hospital’s campus to take a test on company computers.”

Rady officials said 150-plus employees contacted families for the 2014 breach by phone and mailed notices Monday. Notification letters were planned “as soon as possible” for families involved in the 2012 release, the U-T said.

Fox 5 San Diego reported Wednesday that the breach was the result of human error and the hospital’s computers systems were never compromised.

Rady officials quoted by Fox said they were taking steps to prevent similar breaches in the future, including:

  • Using commercial testing programs to evaluate job candidates only onsite.
  • Increasing email security to require additional approvals before sensitive information can be sent.
  • Using email encryption to protect sensitive data.
  • And educating employees about privacy policies.