The information below comes from the statement of deficiencies compiled by health inspectors and provided to AHCJ by the Centers for Medicare and Medicaid Services. It does not include the steps the hospital plans to take to fix the problem, known as a plan of correction. For that information, you should contact the hospital, your state health department or CMS. Accessing the document may require you to file a Freedom of Information Request. Information on doing so is available here.

CHINO VALLEY MEDICAL CENTER 5451 WALNUT AVE CHINO, CA 91710 April 28, 2016
VIOLATION: GOVERNING BODY Tag No: A0043
Based on observation, interview,and record review, the facility's Governing Body failed to hold the facility medical staff accountable for the quality of care provided to patients by failing to:

1) Develop, implement, and maintain, an effective antiviral computer software program to prevent a malware virus from infiltrate the facility's computer system. (refer to A-0441).

2) Ensure background checks were cleared on a non-employee (a registry contracted individual) staff prior to the date of hire, to prevent patients from potential abuse. (refer to A-0432)

3) Ensure the facility medical records were accurate and complete. (refer to A-0438)


The cumulative effect of these systemic problems resulted in the failure of the hospital to deliver care in a safe setting and be in compliance with the Condition of Participation for Governing Body.
VIOLATION: MEDICAL STAFF - ACCOUNTABILITY Tag No: A0049
Based on observation, interview,and record review, the facility's Governing Body failed to ensure the medical staff are held accountable for the quality of care provided to patients, by failing to:

1. Develop, implement, and maintain, an effective antiviral (computer software used to protect and detect disruptive software) computer software program to prevent a malware (disruptive software) virus from an unauthorized cyber attack, with a ransom demand, into the facility's electronic medical record system (EMSR).

2) Ensure background checks were cleared on a non-employee (a registry contracted individual) staff prior to start of date of hire, to prevent patients from potential abuse.

3) Ensure facility medical records were accurate and complete.

These deficient practices had the potential to affect the health and safety for a universe of 39 patients.

Findings:

On March 18, 2016, the California Department of Public Health, Licensing and Certification division, received a telephone call from (name of hospital) reporting they received notification of a cyber attack with a ransom demand. The following detailed time line reflects the inability of the facility to provide quality patient care, by a disruption of vital computerized communication, within the hospital's Radiology (the science dealing with x-rays and high radiation for the diagnosis and treatment of diseases) Department, the Laboratory (LAB - a room or building equipped to perform medical tests from blood and/or body fluids and specimens,) Department, the emergency room (ER,) the Pharmacy (where medicine is dispensed) Department and all nursing units of the facility:


1. A review of the facility document titled "Time Line for IT (Information Technology)" dated March 18, 2016, indicated the following:


At 9:05 p.m., the "Computed Tomography Scan" (CT - detailed images of internal organs that cannot be obtained by x-ray) was not transferring CT images to the radiologist for review. The IT department was notified and requested to assist with restoring the computer system.

At 11:00 p.m., The IT employee arrived and began checking the CT computer linkage problem. The IT employee then discovered corruption in the emergency room (ER,) and in the Intensive Care Unit (ICU) EMRS computer program. At this time it was also discovered the paging system (a wireless telecommunication device that receives and displays numeric massages) for the facility was not operational.

On March 19, 2016, at 12 a.m., the emergency room (ER) was closed due to the facility's determined internal disaster. ER computers were shut down and unplugged from the servers (a computer or device that provides functionality for other programs or devices).

This prevented the facility's ability to order lab tests (tests usually from blood and/or body fluids and other types of specimens obtained from the body) and x-rays (a digital image of the internal part of the body.) for the patients already waiting in the ER. The down time protocol (documentation of patient information completed on paper forms) was activated and the Chief Nursing Officer (CNO) was notified.

AT 12:15 a.m., The Information Technologist Director (ITD) arrived in the facility and was told there was no estimated time for repair of the computer system and the software vender had been notified.

The ITD continued to wait for the software vender's arrival.

At 12:15 a.m., a radiologist arrived at the facility to review ER x-rays and CT scans. RN 5 stated "The ER was busy and there were multiple x-rays and CT scans waiting to be read for the patients in the ER."

At 3:50 a.m., the computer system was shut down from the server by IT. The Charge Nurses, the Laboratory Department, the Radiology Department, and the Respiratory Therapy (treats people with health care issues affecting the
heart and lung) Department were informed.

They needed the on-call Pharmacist (a professional qualified to prepare and dispense medicine) to print the electronic Medication Administration Record (e-MAR) for the patients currently in the hospital and he was unable to be reach.

AT 5:15 a.m., the Pharmacist arrived and printed the e-MAR's. The facility was informed by IT there was no estimated time for the network/computer repairs or a resolution of the IT problems.

At 6:15 a.m., as a result of the computer system being non-operational, the lab requested a 45 minute delay before shutting down the electronic medical record system (EMRS)
in order to process the results of the patient's morning blood specimens.

At 7:00 a.m., the EMRS was shut down from the server.

At 6:30 a.m., RN 5 spoke to the Chief Nursing Officer (CNO) and then notified the Regional Chief Executive Officer (RCEO) and Chief Medical Officer (CMO).

At 9:15 a.m., a decision was made to go on CT diversion (the act of changing direction) due to the delay in getting the CT results read.


At 10:00 a.m., The California Department of Public Health (CDPH) was notified by the [name of hospital] Nursing Administration the facility was on internal disaster (ID) due to an enablement (the act of enabling [to allow]) of the facility's complete computer system by a cyber-attack with a ransomed demand.

At 2:15 p.m., RN 5 spoke to IT with a concern of having to manually input telephone numbers into the fax machine, before they can send documents, because there was no phone numbers programmed into the fax machine.

At 3:00 p.m., after initiating the downtime process the facility found there were incomplete discharge instructions being given and 21 discharge instructions were missing.

On Sunday March 20, 2016, the time line indicated:

At 8:30 a.m., five IT's arrived from the [name of hospital] corporate office who started scrubbing (overriding an entire computer system) the personnel computers. The facility was told this process would take 10 to 12 hours.

At 1:49 p.m., the admitting department reported they are having problems with the wireless personnel computers brought to them for use.

At 5:15 p.m., the facility spoke to the ITD. He stated the personnel computers wouldn't be completely scrubbed (overriding the entire computer system) until late evening, or into the early morning of March 21, 2016. It was unknown when the EMRS computer program would be brought back on line.

On Monday, March 21, 2016, at 8:30 a.m., a meeting was held with the management team and the decision was made that all personnel computers will remain disconnected from the computer servers...all patient care systems were slow due to the downtime manual process in place.

During a review of the facility document titled "Downtime" undated, on April 25, 2016, the following was indicated:

On March 19, 2016, the facility computer system was shutdown at 7:00 a.m. and all workstation computers were physically unplugged from the network.

On March 20, 2016, the facility computer systems were still off.

On March 21, 2016, Installation of security software continued.

On March 22, 2016, imaging of the Hospital workstations continued.

On March 23, 2016, additional software is needed to be installed on workstations.

On March 24, 2016, the facility's EMRS was back online at approximately 2:10 p.m.

A review of the facility document titled "Status of Systems" undated, on April 25, 2016, the following was indicated:

The Cardiopulmonary Department (medical practice of the heart and lungs): [brand name of a software tool] program that merges information from multiple sources, requires an upgrade to support the anti-virus security software. The expected delivery and installation is to occur the week of May 5, 2016.

The Radiology Department requires changes to the security software on their portable x-ray machine to accommodate the workflow.

During an interview with the Chief Nursing Officer, on April 25, 2016, at 3:55 p.m., he stated "Not all systems are up and running yet..."


During an interview with the Pharmacist, on April 25, 2016, at 4:20 p.m., he stated "They kept their electronic health record system running until 7 a.m., on Saturday...the IDT made the decision to keep the EMRS running until 7 a.m."

During an interview with the Regional Chief Executive Officer (RCEO), on April 28, 2016, at 2:10 p.m., he stated the malware functionality of work station systems was taken away.

During an interview with the Chief of Police, for the city of Chino, on April 28, 2016, at 2:15 p.m., she stated they have not found who the perpetrator is and they are still working with the Federal Bureau of Investigation (FBI).

During an interview with the President/Chief Medical Officer (CMO), on April 28, 2016, at 2:21 p.m., he stated "They realize their nurses don't have experience in writing medication on paper...the downtime forms (documents used when the computer system is down) worked for two hours, and then it did not work for three weeks."

2. During an interview with the IDT on April 25, 2016, at 8:30 a.m., he stated "Policies were not developed for the facilities antiviral system. The two new antiviral backup systems were placed after the cyber-attack incident."

During an interview with the President/Chief Medical Officer(CMO), on April 28, 2016, at 2:25 p.m., he stated an e-mail was opened at [name of city] facility and the cyber attack then spread to the other [name of hospital corporation] facilities.

During a review of the facility document titled "Hospital Risk Management - Assessment of Risk" dated 2016, indicated "Cyber-attack on computer systems...Malware attack this year. Risk continues to be present for recurrence."

During a review of the document titled "Security Systems" undated, indicated "...Changes were required in the Radiology department for the security software on the portable x-ray machines to accommodate workflow...changes were needed to the security software installed to allow them to function as required for the user workflow."

The facility policy and procedure titled "Security Policy, Information Systems" dated December 2015, indicated: "Virus protection must exist at network points where a potentially infected files enters, leaves or is stored throughout the network. Appropriate backup and recovery plans must be established for business applications. Access to backed-up information must be equal to or more restrictive than security measures taken to protect the original electronic information. Customers and users are accountable and responsible for establishing processes to back up their personal computers or as applicable, local servers contained within a department."


Despite the internal investigation conducted by [name of hospital] to determine the possibility of a breach of protected health information (for the patients who were seen and treated during the facility's cyber-attack event) the unknown information that may have potentially been breached continues to compromise patient confidentiality and protected health related information.



2. A review of the employee file record for Coder II, indicated the date of hire was July 24, 2006. The criminal screening was cleared on July 26, 2016.

During an interview with the Director of Human Resources (DOHR,) on April 28, 2016, at 3:21 p.m., she stated "We wouldn't hire her until background was cleared."

The facility policy and procedure titled "Background Checks", dated February 2016, indicated "...Prior to an offer of employment to a selected applicant, the following steps will be followed to ensure a complete background screening. The applicant is notified of the need to provide authorization for a background screening. The applicant is provided with all necessary documents as well as detailed information regarding the background screening process. After an authorization is received, the required forms are forwarded to the selected vendor to begin the background screening. Once the job-related results of the check are received, the department head/director/manager/supervisor is notified of the clearance."


3. A review of the clinical record for Patient 6, indicated the admitted was on March 20, 2016, for respiratory failure (not enough oxygen passes from the lungs into the blood).
A concurrent review of the medical non-violent restraint flow sheet, dated March 20, 2016, was without evidence of nursing staff documentation of the need for restraint codes (the behavior status of the patient while in bilateral wrist soft restraints, patient needs, assessments, and interventions,) at the following times:
a. 7:00-9 a.m.
b. 9:01-11 a.m.
c. 11:01-1 p.m.
d. 1:01-3 p.m.

During a review of the clinical record for Patient 6, the medical non-violent restraint flow sheet dated March 21, 2016, was without evidence of nursing documention of the need for restraint codes (the behavior status of the patient while in bilateral wrist soft restraints, patient needs, assessments, and interventions,) at the following times, during nurse's 12 hour shift:

a. 7 a.m. - 9 a.m.
b. 9:01 a.m. - 11 a.m.
c. 11:01 a.m.- 1 p.m.
d. 1:01 p.m.- 3 p.m.
e. 3:01 p.m.- 5 p.m.
f. 5:01 p.m. - 7 p.m.
g. 3:01 a.m.- 5 a.m.
h. 5:01 a.m.- 7 a.m.

During an interview with the Registered Nurse (RN 1), on April 26, 2016, at 4:50 p.m., she stated the nursing staff should have documented the codes (the behavior status of the patient while in bilateral wrist soft restraints, patient needs, assessments, and interventions) for March 20, and 21, 2016.

The facility policy and procedure titled "Restraint Use," dated July 2013, indicated: "The restraint flow sheet is a two-part form. The white original copy is retained on the medical record and the carbon copy is forwarded to nursing administration for data analysis. Data analysis will provide the impetus for quality initiatives by identifying the behavior warranting the use of restraint as a therapeutic intervention. Identifying those least restrictive interventions that are initiated prior to the initiation of restraints. Identifying those interventions that are effective in reducing the time that restraints are utilized."

During a review of the clinical record for Patient 6, the medical non-violent restraint physician order, dated March 20, 2016, at 12:09 p.m., was without evidence of a physician signature dating and timing the document.

During an interview with the the Chief Nursing Officer (CNO) on April 26, 2016, at 4:51 p.m., he confirmed the physician should have dated and timed the order immediately.

The facility policy and procedure titled "Restraint Use," dated July 2013, indicated: "Each restraint order is time limited and written for a specific episode. The use of the restraint requires a physician's order specifying the type of device, purpose of the device, and length of time the restraint is to be used. The maximum time limit for the order and the use of restraints is one (1) hour of children under age 9 (must renew every two (2) hours, Pediatric patients are not restrained except for the duration of an invasive procedure, Two (2) hours for children and adolescents, Age 9-18 (must renew order every two (2) hours, and four (4) hours for adults."

During a review of the clinical record for Patient 5, the date of admission was recorded as
March 19, 2016, at 7:59 a.m. with a diagnosis of severe depression (a feeling of sadness), and seizure disorder (a sudden disruption of the brain's normal electrical activity accompanied by altered consciousness).

During a review of the clinical record for Patient 5, the admission assessment history, dated March 19, 2016, at 10:42 a.m., indicated patient 5 is allergic to Depakote (anti-epileptic medication), Lithium (a mood stabilizer), seroquel (anti-psychotic medication), zoloft (an antidepressant medication), and haldol (an antidepressant medication).

During a review of the clinical record for Patient 5, it was discovered the Pharmacy Department kept a list of patient's allergy history. Patient 5's allergy history was recorded as "No known allergies."

During a review of the clinical record for Patient 5, the medication administration record (MAR) dated March 19, 2016, indicated "No known allergies."

During a review of the clinical record for Patient 6, the MAR, undated, was without evidence the nurse had documented allergies.

During a review of the clinical record for Patient 6, the medication reconciliation form dated March 20, 2016, through March 22, 2016, indicated Patient 6 is allergic to Tegretol (an anti- convulsant).

During a review of the clinical record for Patient 17, the date of admission was recorded as
March 22, 2016, for a pelvic mass and abdominal pain.

During a review of the clinical record for Patient 17, the document titled "Admission Assessment History" dated March 22, 2016, at 9:50 p.m. indicated Patient 17 had an allergy to [name of antibiotic] (an antibiotic used for the treatment of a number of bacterial infections).

During a review of the clinical record for Patient 17, MAR dated March 22, 2016, was without evidence of allergy documentation by the nursing.

During a review of the clinical record for Patient 17, the MAR, dated March 23, 2016, indicated nursing documented "No known drug allergies."

During a review of the clinical record for Patient 17, the MAR, dated March 24, 2016, indicated nusing documented "No known drug allergies."

During a review of the clinical record for Patient 17, the MAR dated March 25, 2016,
at 12 a.m., was without evidence of allergy documentation by nursing

During a review of the clinical record for Patient 17, the MAR dated March 26, 2016, at 12 a.m., was without evidence of allergy documentation by nursing.

During a review of the clinical record for Patient 17, the MAR dated March 27, 2016,
at 12 a.m. was without evidence of allergy documention by nursing.

During an interview with the Pharmacist on April 27, 2016 at 12:09 p.m.., he stated "When there is a change in patient medication allergies, the nurse should call him, or notify him by faxing the change of allergies.

During an interview with the Registered Nurse (RN 3) on April 27, 2016, at 11:36 a.m., she stated the nurses should notify pharmacy of allergies and transcribe the allergy onto the MAR correctly.

The facility policy and procedure titled "Medication reconciliation", dated May 2015, indicated: "The Physician, Nurse Clinician, or other Healthcare Practitioner uses the medication reconciliation record to record the admitted , patient allergies, and to list all medications/herbals being take by the patient at home as completely as possible. Admission orders are compared to the pre-admission medication list: any variances are reconciled."


During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 19, 2016, at 9:05 p.m. indicated the following:

Gabapentin - 300 milligrams (mg - a unit of measure,) by mouth (PO,) every 8 hours for neuropathic pain.

No documented evidence could be found to indicate the medication had been transcribed from the "Physician's Order Sheet" onto the Medication Administration Record (MAR - a record of patient medications ordered by the physician to be given by a nurse).


During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 20, 2016, at 8:00 p.m. indicated the following:

Stop: Gabapentin 300 mg every 8 hours for neuropathic pain

Start: Gabapentin 600 mg every 8 hours for neuropathic pain

No documented evidence could be found to indicate the medication order for Gabapentin 300 mg, as written by the Physician, on March 19, 2016, at 9:05 p.m., had been transcribed onto the MAR.

During an interview with the Director of Medical/Surgical/Telemetry (DMST) units, on March 28, 2016, at 9:15 a.m. she stated "The nurse should have transcribed the Gabapentin 300 mg onto the MAR, crossed it out as discontinued..."

During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 20, 2016, at 9:11 p.m., indicated the following:

Magnesium 2 grams (a unit of measure) intravenous (IV - [within the vein] - liquid substances directly into the vein) for Magnesium repletion (to completely refill);

Potassium (a mineral supplement used to treat low potassium levels in the blood) 40 milliequivalents (meq - a unit of measure) PO liquid, for potassium repletion, once.

No documented evidence could be found to indicate the medications had been transcribed from the "Physician's Order Sheet" onto the MAR.

During an interview with the Director of Medical/Surgical/Telemetry (DMST) units, on April 28, 2016, at 9:15 a.m., she stated she was unable to find evidence the magnesium and potassium, as ordered, had been given.

During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 31, 2016, at 8:55 a.m., indicated the following:

Fluconazole (a drug used to treat fungal infections) 800 mg - 1 tab PO daily, for fungal bacteremia, today;

Fluconazole 400 mg - 1 tab PO daily for fungal bacteremia, to start April 1, 2016.

No documented evidence could be found to indicate the Fluconazole 800 mg dose had been transcribed from the "Physician's Order Sheet" onto the MAR.

During an interview with the Director of Medical/Surgical/Telemetry units, on April 28, 2016, at 9:15 a.m., she stated she was unable to find evidence the medication had been given.

During a review of the clinical record for Patient 22, the document titled "Physician's Order Sheet" dated March 21, 2016, at 2:00 p.m., indicated the following:

Epogen 10,000 units (a measurement) intravenous (IV - [within the vein] - liquid substances directly into the vein) after each dialysis (a process through which a machine is used to wash the blood of waste and remove excess fluid from the body).

During a review of a two page document titled "[name of facility]" dated March 21, 2016, at 3 p.m., indicated "Hemodialysis orders:...Medication...Dose...Route...Reason for Admin/Comment...Time...Initials..."

There is no documented evidence the medication, Epogen 10,000 units, had been administered by the HD Nurse, per the physician's order.

A review of the two page document titled "[name of facility]" dated March 23, 2016, at 20:00 p.m., indicated "Hemodialysis orders:...Medication...Dose...Route...Reason for Admin/Comment...Time...Initials..."

There is no documented evidence the medication, Epogen 10,000 units, had been administered by the HD Nurse, per the physician's order.

During an interview with the Director of Medical/Surgical/Telemetry units on March 28, 2016, at 9:15 a.m., she stated "The Epogen medication should have been signed off here (pointing to the Medication box on the Hemodialysis order sheet) for the two dialysis dates of March 21, and March 22, 2016, after reviewing the hemodialysis nursing notes."


During a review of the clinical record for Patient 33, the document titled "Physician's Order Sheet" dated March 21, 2016, at 9:59 a.m., indicated the following:

1.) Dialysis (a process through which a machine is used to wash the blood of waste and remove excess fluid from the body) for 3/21- 3.5 hours...

2.) Procrit - (a medication used to treat low red blood cells in the body) 5000 units (a level of measurement) intravenous (IV - [within the vein] - liquid substances directly into the vein) push on Monday (M) - Wednesday (W) - and Friday (F) - post (after) to be given by the HD Nurse (a nurse who is specially trained to provide the dialysis treatment)...

During a review of the clinical record for Patient 33, the document titled "Medication Administration Record (MAR)" dated March 21, 2016 at 00:00 through March 21, 2016, at 23:59 p.m., indicated the following medications were without the required documentation indicated.

1. Metoprolol Tartrate 50 milligrams (mg - a level of measurement) - BID (twice a day) - the initials of the Registered Nurse (RN) who completed the MAR and the "Start" date for administration of the medication.

2. Omeprazole - (a medication used to treat too much stomach acid) 20 mg - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.

3. Procrit - 5000 units to be given IV push on Monday (M) - Wednesday (W) - and Friday (F) post (after) HD, by the HD Nurse- the initial of the RN who completed the entry on the MAR and the "Start" date for administration of the medication.

There was no identifying initial's by the HD Nurse, to indicate the medication had been given after the ordered hemodialysis treatment, which was to be conducted on "3/21 for 3.5 hours" as ordered by the physician.

Further review of Patient 33's clinical record for the documented HD treatment to be completed on "3/21 for 3.5 hours," could not be found.


4. Nephrovite (a dietary supplement for the kidney) - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.

During a review of the clinical record for Patient 33, the MAR, dated March 22, 2016, 12 a.m., through March 22, 2016, 23:59 p.m., the following medications were without the required documentation indicated:

1. Metoprolol Tartrate (a medication used to control blood pressure) 50 mg - the initial of the RN who completed the MAR, the time of day to be given, and the "Start" date for administration of the medication.

2. Omeprazole (a medication used to treat too much stomach acid) 20 mg - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.

3. Nephrovite (a dietary supplement for the kidney) - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.

4. Procrit 5,000 units to be given IV push on Monday (M) - Wednesday (W,) and Friday (F) post hemodialysis by the HD Nurse - the initial of the RN who completed the entry on the MAR, and the "Start" date for administration of the medication.

5. Miralax (a laxative) one packet twice a day - the initial of the RN who completed the entry on the MAR, and the time of day to be given.

During a review of the clinical record for Patient 33, a two page document titled "[name of facility]" dated March 22, 2016, at 16:15 p.m., indicated "Hemodialysis orders:...Medication...Dose...Route...Reason for Admin/Comment...Time...Initials..."
There is no documented evidence of medication administered by the HD Nurse as have been given per the physician's order.

During an interview with the Director of Medical/Surgical/Telemetry (DMST) units, on April 28, 2016, at 9:00 a.m., she stated the Hemodialysis Nurse is supposed to document the time or write a note on the Medication Administration Record (MAR) when medications are given during a hemodialysis treatment...this has been discussed with the dialysis nurse before, they need to document on the dialysis sheet..."

The DMST was unable to find documented evidence of the medication Procrit as having been given by the dialysis nurse.


A review of the facility policy and procedure titled " [Name of electronic medical health record program], dated May, 2015, indicated the following:
" Policy: Medications are to be administered and documented accurately ... "
VIOLATION: SUPERVISION OF CONTRACT STAFF Tag No: A0398
Based on observation, interview, and record review, the facility failed to ensure staff had adequate training which had the potential to affect the delivery of care to a universe of thirty-nine patients.

Findings:

A review of the employee file training record for the Licensed Vocational Nurse (LVN 1) undated indicated there were missing signatures of the LVN to verify training was complete.

A review of the employee file training record for the Licensed Vocational Nurse (LVN 2) dated January 16, 2016, indicated there were missing signatures of the LVN to verify training was complete.

During an interview with the Nursing Administrative Secretary (NAS) on April 28, 2016, at 5:22 p.m., he stated the licensed vocational nurses should've signed all training documents during orientation.

The facility policy and procedure titled "Registery Personnel Licensure, Competence and Orientation", dated September 2015, indicated: "When a registry employee is scheduled to work at facility, the staffing coordinator/ House Supervisor/ Charge Nurse shall review registry files to determine Orientation essentials package completed and graded. A unit specific orientation shall be provided to the registry personnel. This shall include but not limited to the hospital and unit layout. Emergency procedures, Nursing services policies and procedures, and safety policies and procedures. If a Registery Personnel is unable to meet the criteria for the assigned position as documented on the Registry Personnel Evaluation form, the department manager or his/her designee will notify the Registry Agency and the person will not be assigned to our hospital again."
VIOLATION: MEDICAL RECORD SERVICES Tag No: A0431
The hospital failed to ensure the Conditions of Participation CFR 482.24 Medical Records Services was met by failing to:

1) Ensure background checks were cleared on facility employee prior to date of hire which had the potential to place 39 patients at risk for abuse, neglect, and mistreatment. (refer to A-432).

2) Ensure medical records were accurate and complete for 6 of 34 sampled Patients. (refer to A-0 438)

3) Ensure the facility's computer system was protected from a cyber-attack with a ransom demand (a malware intrusion demanding money for an exchange of pass codes in order to retrieve their system). (refer to A-0441)

The cumulative effect of these systemic problems resulted in the failure of the hospital to deliver care in a safe setting and be in compliance with the Condition of Participation for Medical Records.
VIOLATION: ORGANIZATION AND STAFFING Tag No: A0432
Based on observation, interview, and record review, the facility failed to ensure background checks were cleared for an employee prior to date of hire. This failure had the potential to place 39 patients at risk for abuse, neglect, and mistreatment.

Findings:

A review of the employee file record for Coder II, indicated the date of hire was July 24, 2006. The criminal screening was cleared on July 26, 2016.

During an interview with the Director of Human Resources (DOHR) on April 28, 2016, at 3:21 p.m., she stated "We wouldn't hire her until background was cleared."

The facility policy and procedure titled "Background Checks",dated February 2016, indicated: "Prior to an offer of employment to a selected applicant, the following steps will be followed to ensure a complete background screening. The applicant is notified of the need to provide authorization for a background screening. The applicant is provided with all necessary documents as well as detailed information regarding the background screening process. After an authorization is received, the required forms are forwarded to the selected vendor to begin the background screening. Once the job-related results of the check are received, the department head/director/manager/supervisor is notified of the clearance."
VIOLATION: FORM AND RETENTION OF RECORDS Tag No: A0438
**NOTE- TERMS IN BRACKETS HAVE BEEN EDITED TO PROTECT CONFIDENTIALITY**

Based on observation, interview, and record review, the facility failed to ensure medical records were accurate and complete for six of 34 sampled Patients, as evidenced by:

1. The nursing staff did not document the code (the behavior status of the patient while in bilateral wrist restraints) on the medical nonviolent restraints flow sheet (a document used for staff to document patient intervention and behavior) for Patient 6.

2. The physician did not sign or date the restraint order for Patient 6.

3. Allergies were inaccurately transcribed to the Medication Administration Record (MAR) for sampled Patients 5, 6, and 17.

4. The Medication Administration Record was incomplete for Patients 21, 22, and 33.

These failures had the potential for patients to not receive care and services in a timely manner which could negatively impact the health and well-being of Patients in a universe of 39 patients.


Findings:

1. During a review of the clinical record for Patient 6, who was admitted on [DATE], for respiratory failure (not enough oxygen passes from the lungs into the blood).
During a review of the clinical record for Patient 6, the medical non-violent restraint flow sheet dated March 20 2016, indicated, the nursing staff did not document the codes (the behavior status of the patient while in bilateral wrist soft restraints, patient needs, assessments, and interventions) for the following times:
a. 7 a.m.-9 a.m.
b. 9:01 a.m. -11 a.m.
c. 11:01 a.m.-1 p.m.
d. 1:01 p.m. - 3 p.m.

During a review of the clinical record for Patient 6, the medical non-violent restraint flow sheet dated March 21, 2016, indicated, the nursing staff did not document the codes for the following times, during a 12 hour nursing shift:

a. 7 a.m. -9 a.m.
b. 9:01 a.m.- 11 a.m.
c. 11:01 a.m. - 1 p.m.
d. 1:01 p.m. - 3 p.m.
e. 3:01 p.m. - 5 p.m.
f. 5:01 p.m. - 7 p.m.
g. 3:01 a. m. - 5 a.m.
h. 5:01 a.m. - 7 a.m.

During an interview with the Registered Nurse (RN 1), on April 26, 2016, at 4:50 p.m., she stated the nursing staff should have documented the codes (the behavior status of the patient while in bilateral wrist soft restraints, patient needs, assessments, and interventions) for March 20, and 21, 2016.

The facility policy and procedure titled "Restraint Use," dated July 2013, indicated: "The restraint flow sheet is a two-part form. The white original copy is retained on the medical record and the carbon copy is forwarded to nursing administration for data analysis. Data analysis will provide the impetus for quality initiatives by identifying the behavior warranting the use of restraint as a therapeutic intervention. Identifying those least restrictive interventions that are initiated prior to the initiation of restraints. Identifying those interventions that are effective in reducing the time that restraints are utilized."

2. During a review of the clinical record for Patient 6, the medical non-violent restraint physicians orders dated March 20, 2016, at 12:09 p.m., indicated there was no physicians date and time.

During an interview with the the Chief Nursing Officer (CNO) on April 26, 2016, at 4:51 p.m., he confirmed the physician should have dated and timed the order's immediately.

The facility policy and procedure titled "Restraint Use," dated July 2013, indicated: "Each restraint order is time limited and written for a specific episode. The use of the restraint requires a physician's order specifying the type of device, purpose of the device, and length of time the restraint is to be used. The maximum time limit for the order and the use of restraints is one (1) hour of children under age 9 (must renew every two (2) hours, Pediatric patients are not restrained except for the duration of an invasive procedure, Two (2) hours for children and adolescents, Age 9-18 (must renew order every two (2) hours, and four (4) hours for adults."

3. During a review of the clinical record for Patient 5, who was admitted on [DATE], at 7:59 a.m., with sever depression (a feeling of sadness), and seizure disorder (a sudden disruption of the brain's normal electrical activity accompanied by altered consciousness).

During a review of the clinical record for Patient 5, the admission assessment history dated March 19, 2016, at 10:42 AM, indicated patient 5 is allergic to Depakote (anti-epileptic medication), Lithium (a mood stabilizer), seroquel (anti-psychotic medication), zoloft (an antidepressant medication), and haldol (an antidepressant medication).

During a review of the clinical record for Patient 5, it was discovered the Pharmacy Department kept a list of patient's allergy history. Patient 5's allergy history was recorded as "No known allergies."

During a review of the clinical record for Patient 5, the MAR dated March 19, 2016, indicated, "No known allergies."

During a review of the clinical record for Patient 6, the MAR, undated, was without evidence of nursing documention of any allergies.

During a review of the clinical record for Patient 6, the medication reconciliation form dated March 20, 2016, thru March 22, 2016, indicated patient is allergic to Tegretol (an anti-convulsant).

During a review of the clinical record for Patient 17, with the admitted [DATE], indicated a diagnosis of pelvic mass (an abnormal growth in the lower abdomen or pelvic region) and abdominal pain.

During a review of the clinical record for Patient 17, the document titled "Admission Assessment History" dated March 22, 2016, at 9:50 p.m., indicated Patient 17 was allergic to [name of antibiotic] (an antibiotic used for the treatment of a number of bacterial infections).

During a review of the clinical record for Patient 17, the MAR, undated, indicated the nurses did not document any allergies.

During a review of the clinical record for Patient 17, the MAR, dated March 23, 2016, indicated nursing had entered "No known drug allergies."

During a review of the clinical record for Patient 17, the MAR, dated March 24, 2016, indicated nursing had entered "No known drug allergies."

During a review of the clinical record for Patient 17, the MAR, dated March 25, 2016, at 12 a.m., was without evidence nursing had documented any allergies.

During a review of the clinical record for Patient 17, the MAR, dated March 26, 2016, at 12 a.m., was without evidence nursing had documented any allergies.

During a review of the clinical record for Patient 17, the MAR, dated March 27, 2016, at 12 a.m., was without evidence nursing had documented any allergies.

During an interview with the Pharmacist on April 27, 2016 at 12:09 p.m.., he stated "When there is a change in patient medication allergies, the nurse should call him, or notify him by faxing the change of allergies.

During an interview with the Registered Nurse (RN 3) on April 27, 2016, at 11:36 a.m., she stated the nurses should notify pharmacy of allergies and transcribe the alleries onto the MAR correctly.

The facility policy and procedure titled "Medication reconciliation", dated May 2015, indicated: "The Physician, Nurse Clinician, or other Healthcare Practitioner uses the medication reconciliation record to record the admitted , patient allergies, and to list all medications/herbals being take by the patient at home as completely as possible. Admission orders are compared to the pre-admission medication list: any variances are reconciled."






4. During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 19, 2016, at 9:05 PM, indicated the following:

Gabapentin - 300 milligrams (mg - a unit of measure,) by mouth (PO,) every 8 hours for (neuropathic pain).

No documented evidence could be found to indicate the medication had been transcribed from the "Physician's Order Sheet" onto the Medication Administration Record (MAR - a record of patient medications ordered by the physician to be given by a nurse).


During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 20, 2016, at 8:00 PM, indicated the following:

Stop: Gabapentin 300 mg every 8 hours for neuropathic pain

Start: Gabapentin 600 mg every 8 hours for neuropathic pain

No documented evidence could be found to indicate the medication order for Gabapentin 300 mg, as written by the Physician, on March 19, 2016, at 9:05 PM, had been transcribed onto the MAR.

During an interview with the Director of Medical/Surgical/Telemetry (DMST) units, on March 28, 2016, at 9:15 AM, she stated "The nurse should have transcribed the Gabapentin 300 mg onto the MAR, crossed it out as discontinued..."

During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 20, 2016, at 9:11 PM, indicated the following:

Magnesium 2 grams (a unit of measure) intravenous (IV - [within the vein] - liquid substances directly into the vein) for Magnesium repletion (to completely refill);

Potassium (a mineral supplement used to treat low potassium levels in the blood) 40 milliequivalents (meq - a unit of measure) PO liquid, for potassium repletion, once.

No documented evidence could be found to indicate the medications had been transcribed from the "Physician's Order Sheet" onto the MAR.

During an interview with the Director of Medical/Surgical/Telemetry (DMST) units, on April 28, 2016, at 9:15 AM, she stated she was unable to find evidence the magnesium and potassium, as ordered had been given.

During a review of the clinical record for Patient 21, the document titled "Physician's Order Sheet" dated March 31, 2016, at 8:55 AM indicated the following:

Fluconazole (a drug used to treat fungal infections) 800 mg - 1 tab PO daily, for fungal bacteremia, today;

Fluconazole 400 mg - 1 tab PO daily for fungal bacteremia, to start April 1, 2016.

No documented evidence could be found to indicate the Fluconazole 800 mg dose had been transcribed from the "Physician's Order Sheet" onto the MAR.

During an interview with the Director of Medical/Surgical/Telemetry units, on April 28, 2016, at 9:15 AM, she stated she was unable to find documentation the medication had been given.

During a review of the clinical record for Patient 22, the document titled "Physician's Order Sheet" dated March 21, 2016, at 2:00 PM, indicated the following:

Epogen 10,000 units (a measurement) intravenous (IV - [within the vein] - liquid substances directly into the vein) after each dialysis (a process through which a machine is used to wash the blood of waste and remove excess fluid from the body).

During a review of a two page document titled "[name of facility]" dated March 21, 2016 at 13:00 PM, indicated "Hemodialysis orders:...Medication...Dose...Route...Reason for Admin/Comment...Time...Initials..."

There is no documented evidence the medication, Epogen 10,000 units, had been administered by the HD Nurse, per the physician's order.

A review of the two page document titled "[name of facility]" dated March 23, 2016, at 20:00 PM, indicated "Hemodialysis orders:...Medication...Dose...Route...Reason for Admin/Comment...Time...Initials..."

There is no documented evidence the medication, Epogen 10,000 units, had been administered by the HD Nurse, per the physician's order.

During an interview with the Director of Medical/Surgical/Telemetry units on March 28, 2016, at 9:15 AM, she stated "The Epogen medication should have been signed off here (pointing to the Medication box on the Hemodialysis order sheet) for the two dialysis dates of March 21, and March 22, 2016, after reviewing the hemodialysis nursing notes."


During a review of the clinical record for Patient 33, the document titled "Physician's Order Sheet" dated March 21, 2016 at 9:59 AM indicated the following:

1.) Dialysis (a process through which a machine is used to wash the blood of waste and remove excess fluid from the body) for 3/21- 3.5 hours...

2.) Procrit - (a medication used to treat low red blood cells in the body) 5000 units (a level of measurement) intravenous (IV - [within the vein] - liquid substances directly into the vein) push on Monday (M) - Wednesday (W) - and Friday (F) - post (after) to be given by the HD Nurse (a nurse who is specially trained to provide the dialysis treatment)...

During a review of the clinical record for Patient 33, the document titled "Medication Administration Record (MAR)" dated March 21, 2016 at 00:00 through March 21, 2016 at 23:59, indicated the following medications were without the required documentation indicated.

1. Metoprolol Tartrate 50 milligrams (mg - a level of measurement) - BID (twice a day) - the initials of the Registered Nurse (RN) who completed the MAR and the "Start" date for administration of the medication.

2. Omeprazole - (a medication used to treat too much stomach acid) 20 mg - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.

3. Procrit - 5000 units to be given IV push on Monday (M) - Wednesday (W) - and Friday (F) post (after) HD, by the HD Nurse- the initial of the RN who completed the entry on the MAR and the "Start" date for administration of the medication.

There was no identifying initial's by the HD Nurse, to indicate the medication had been given after the ordered hemodialysis treatment, which was to be conducted on "3/21 for 3.5 hours" as ordered by the physician.

Further review of Patient 33's clinical record for the documented HD treatment to be completed on "3/21 for 3.5 hours," could not be found.


4. Nephrovite (a dietary supplement for the kidney) - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.


During a review of the clinical record for Patient 33, the MAR, dated March 22, 2016 - 00:00, through March 22, 2016 - 23:59, the following medications were without the required documentation indicated:

1. Metoprolol Tartrate (a medication used to control blood pressure) 50 mg - the initial of the RN who completed the MAR, the time of day to be given, and the "Start" date for administration of the medication.

2. Omeprazole (a medication used to treat too much stomach acid) 20 mg - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.

3. Nephrovite (a dietary supplement for the kidney) - the initial of the RN who completed the entry on the MAR, the time of day to be given, and the "Start" date for administration of the medication.

4. Procrit 5,000 units to be given IV push on Monday (M) - Wednesday (W,) and Friday (F) post hemodialysis by the HD Nurse - the initial of the RN who completed the entry on the MAR, and the "Start" date for administration of the medication.

5. Miralax (a laxative) one packet twice a day - the initial of the RN who completed the entry on the MAR, and the time of day to be given.

During a review of the clinical record for Patient 33, a two page document titled "[name of facility]" dated March 22, 2016 at 16:15 PM, indicated "Hemodialysis orders:...Medication...Dose...Route...Reason for Admin/Comment...Time...Initials..."
There is no documented evidence of medication administered by the HD Nurse as have been given per the physician's order.

During an interview with the Director of Medical/Surgical/Telemetry (DMST) units, on April 28, 2016 at 9:00 AM she stated the Hemodialysis Nurse is supposed to document the time or write a note on the Medication Administration Record (MAR) when medications are given during a hemodialysis treatment...this has been discussed with the dialysis nurse before, they need to document on the dialysis sheet..."

The DMST was unable to find documented evidence of the medication Procrit as having been given by the dialysis nurse.


A review of the facility policy and procedure titled " [Name of electronic medical health record program], dated May, 2015 indicated the following:
" Policy: Medications are to be administered and documented accurately ... "
VIOLATION: CONFIDENTIALITY OF MEDICAL RECORDS Tag No: A0441
Based on observation, interview, and record review, the facility's anti-virus software (a program designed to detect and destroy computer viruses) failed to protect the computer data base system from a cyber-attack (an attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network) with a ransom demand by a malware (software that is intended to damage or disable computers and computer systems) intrusion demanding money in exchange for pass codes to allow the facility to retrieve their electronic medical record system
(EMRS).


1. The facility's antiviral software (computer software used to prevent and detect disruptive software) failed to prevent a virus intrusion into the hospital computer data base system,which disrupted the EMRS producing a negative impact on the ability to provide quality patient care.

2. There was no policy and procedure in place on March 18, 2016 during the malware intrusion, as a back-up plan to protect their computer based data system from unauthorized access.

These deficient practices had the potential for unauthorized access of any confidential medical information used in ways not authorized by the patient in a universe of 39 patients.

Findings:

On March 18, 2016 the California Department of Public Health, Licensing and Certification division, received a telephone call from (name of hospital) reporting they received notification of a cyber attack with a ransom demand. The following detailed time line reflects the inability of the facility to provide quality patient care, due to a disruption of vital computerized communication within the hospital's Radiology (the science dealing with x-rays and high radiation for the diagnosis and treatment of diseases) Department, the Laboratory (LAB - a room or building equipped to perform medical tests from blood and/or body fluids and specimens,) Department, the emergency room (ER,) the Pharmacy (where medicine is dispensed) Department and nursing units of the facility:


1. A review of the facility document titled "Time Line for IT (Information Technology)" dated March 18, 2016 indicated the following:


At 9:05 PM, the "Computed Tomography Scan" (CT - detailed images of internal organs that cannot be obtained by x-ray) was not transferring CT images to the radiologist for review. The IT department was notified and requested to assist with restoring of the system.

At 11:00 PM, The IT employee arrived and began checking the CT computer linkage problem, discovering the EMRS corruption in the emergency room (ER,) and in the
Intensive Care Unit (ICU). At this time it was also discovered the paging system (a wireless telecommunication device that receives and displays numeric massages) for the facility was not operational.

On March 19, 2016 at 00:00 the emergency room (ER) was closed due to the determined internal disaster. ER computers were shut down and unplugged from the
servers (a computer or device that provides functionality for other programs or devices).
This prevented the ability to order lab tests (tests usually from blood and/or body fluids and other types of specimens obtained from the body) and x-rays (a digital image of the internal part of the body.) The down time protocol (documentation of patient information completed on paper forms) was activated and the Chief Nursing Officer (CNO) was notified.

AT 12:15 AM, The Information Technologist Director (ITD) arrived. He was informed three other [name of corporation] hospitals in the area were also affected. No estimated time of repair was given. The ITD continued waiting for the software vender's arrival.

At 12:15 AM, a radiologist arrived at the facility to review ER x-rays and CT scans. RN 5 stated the ER was busy and had multiple x-rays and CT scans needing to be read for the patients waiting in the ER.

At 3:50 AM, the computer system was shut down from the server by IT. The Charge Nurses, the Laboratory Department, the Radiology Department, and the Respiratory Therapy Department (treats people with health care issues affecting the
heart and lung) were informed.

They needed the on-call Pharmacist (a professional qualified to prepare and dispense medicine) to print the electronic Medication Administration Record (e-MAR) for the patients currently in the hospital and he was unable to be reach.

AT 5:15 AM, the Pharmacist arrived and printed the e-MAR's. The facility was informed by IT there was no estimated time for network/computer repairs or a resolution of IT problems.

At 6:15 AM, as a result of the computer system being non-operational, the lab requested a 45 minute delay before shutting down the electronic medical record system (EMRS)
in order to process the morning lab draw specimens.

At 7:00 AM, the EMRS was shut down from the server.

At 6:30 AM, RN 5 spoke to the Chief Nursing Officer (CNO) and then notified the Regional Chief Executive Officer (RCEO) and Chief Medical Officer (CMO).

At 9:15 AM, A the decision was made to go on CT diversion (unable to perform CT scans) due to the delay in getting the CT results read.


At 10:00 AM, The California Department of Public Health (CDPH) was notified by the [name of hospital] Nursing Administration that the facility was on internal disaster (ID) due to a cyber-attack.

At 2:15 PM, RN 5 spoke to IT with a concern about no phone numbers programmed into the fax machine and having to manually input numbers into the fax machine before they could send documents.

At 3:00 PM, incomplete discharge instructions were found and 21 discharge instructions were missing.


On Sunday March 20, 2016 the time line indicated:

At 8:30 AM, five IT's arrived from the [name of hospital] corporate office who started scrubbing (overriding an entire computer system) the personnel computers. The facility was told this process would take 10 to 12 hours.

At 1:49 PM, the admitting department reported they are having problems with the wireless personnel computers brought to them for use.

At 5:15 PM, the facility spoke to the ITD. He stated the personnel computers wouldn't be completely scrubbed (overriding the entire computer system) until late evening, or into the early morning of March 21, 2016. It was unknown when the EMRS computer program would be brought back on line.

Monday, March 21, 2016 at 8:30 AM, a meeting was held with the management team and it was determined all personnel computers will remain disconnected from the computer servers...all patient care systems were slow due to the manual process.


During a review of the facility document titled "Downtime" undated, provided by the IDT, on April 25, 2016 it indicated the following:


On March 19, 2016 the facility computer system was shutdown at 7:00 AM. The workstation computers were physically unplugged from the network.

On March 20, 2016 the facility computer systems were still off.

On March 21, 2016 Installation of security software continued

On March 22, 2016 imaging of the Hospital workstations continued.

On March 23, 2016 additional software is needed to be installed on workstations.

On March 24, 2016 the facility electronic health record system was back online at approximately 2:10 PM.

A review of the facility document titled "Status of Systems" undated, provided by the IDT, on April 25, 2016, it indicated the following:

Cardiopulmonary Department (affecting the heart and lungs): [brand name of a software tool] that merges information from multiple sources requires an upgrade to support the anti-virus and security software. Expected delivery and installation to occur the week of May 5, 2016.


Radiology Department: There are changes required for the security software on the portable x-ray machine to accommodate the workflow.


During an interview with the Chief Nursing Officer, on April 25, 2016 at 3:55 PM, he stated "not all systems are up and running yet..."


During an interview with the Pharmacist, on April 25, 2016 at 4:20 PM, he stated "They kept their electronic health record system running until 7:00 AM, on Saturday...the IDT made the decision to keep the electronic medical record system running until 7:00 AM."

During an interview with the Regional Chief Executive Officer (RCEO), on April 28, 2016 at 2:10 PM, he stated the malware functionality of work station system was taken away.

During an interview with the Chief of Police, for the city of Chino, on April 28, 2016 at 2:15 PM, she stated they have not found who the perpetrator is and they are still working with the Federal Bureau of Investigation (FBI).

During an interview with the President/Chief Medical Officer (CMO), on April 28, at 2:21 PM, he stated "they realize their nurses don't have experience in writing medication on paper...the downtime forms (documents used when the computer system is down) worked for two hours, and then it did not work for three weeks."

2. During an interview with the IDT on April 25, 2016 at 8:30 AM, he stated policies were not developed for the facilities antiviral system. The two new antiviral backup systems were placed after the cyber-attack incident.

During an interview with the President/Chief Medical Officer (CMO), on April 28, 2016 at 2:25 PM, he stated an e-mail was opened at [name of city] facility and the virus attack then spread to the other [name of hospital corporation] facilities.

During a review of the facility document titled "Hospital Risk Management - Assessment of Risk" dated 2016, it indicated "Cyber-attack on computer systems...Malware attack this year. Risk continues to be present for recurrence."

During a review of the document titled "Security Systems" provided by the ITD, undated, it indicated "...Changes were required in the Radiology department for the security software on the portable x-ray machines to accommodate workflow...changes were needed to the security software installed to allow them to function as required for the user workflow."

The facility policy and procedure titled "Security Policy, Information Systems" dated December 2015, indicated: "Virus protection must exist at network points where a potentially infected files enters, leaves or is stored throughout the network. Appropriate backup and recovery plans must be established for business applications. Access to backed-up information must be equal to or more restrictive than security measures taken to protect the original electronic information. Customers and users are accountable and responsible for establishing processes to back up their personal computers or as applicable, local servers contained within a department."


On March 18, 2016 the California Department of Public Health, Licensing and Certification division, received a telephone call from (name of hospital) reporting they received notification of a cyber attack with a ransom demand. The following detailed time line reflects the inability of the facility to provide quality patient care, due to a disruption of vital computerized communication within the hospital's Radiology (the science dealing with x-rays and high radiation for the diagnosis and treatment of diseases) Department, the Laboratory (LAB - a room or building equipped to perform medical tests from blood and/or body fluids and specimens,) Department, the emergency room (ER,) the Pharmacy (where medicine is dispensed) Department and nursing units of the facility:


1. A review of the facility document titled "Time Line for IT (Information Technology)" dated March 18, 2016 indicated the following:


At 9:05 PM, the "Computed Tomography Scan" (CT - detailed images of internal organs that cannot be obtained by x-ray) was not transferring CT images to the radiologist for review. The IT department was notified and requested to assist with restoring of the system.

At 11:00 PM, The IT employee arrived and began checking the CT computer linkage problem, discovering the EMRS corruption in the emergency room (ER,) and in the
Intensive Care Unit (ICU). At this time it was also discovered the paging system (a wireless telecommunication device that receives and displays numeric massages) for the facility was not operational.

On March 19, 2016 at 00:00 the emergency room (ER) was closed due to the determined internal disaster. ER computers were shut down and unplugged from the
servers (a computer or device that provides functionality for other programs or devices).
This prevented the ability to order lab tests (tests usually from blood and/or body fluids and other types of specimens obtained from the body) and x-rays (a digital image of the internal part of the body.) The down time protocol (documentation of patient information completed on paper forms) was activated and the Chief Nursing Officer (CNO) was notified.

AT 12:15 AM, The Information Technologist Director (ITD) arrived. He was informed three other [name of corporation] hospitals in the area were also affected. No estimated time of repair was given. The ITD continued waiting for the software vender's arrival.

At 12:15 AM, a radiologist arrived at the facility to review ER x-rays and CT scans. RN 5 stated the ER was busy and had multiple x-rays and CT scans needing to be read for the patients waiting in the ER.

At 3:50 AM, the computer system was shut down from the server by IT. The Charge Nurses, the Laboratory Department, the Radiology Department, and the Respiratory Therapy Department (treats people with health care issues affecting the
heart and lung) were informed.

They needed the on-call Pharmacist (a professional qualified to prepare and dispense medicine) to print the electronic Medication Administration Record (e-MAR) for the patients currently in the hospital and he was unable to be reach.

AT 5:15 AM, the Pharmacist arrived and printed the e-MAR's. The facility was informed by IT there was no estimated time for network/computer repairs or a resolution of IT problems.

At 6:15 AM, as a result of the computer system being non-operational, the lab requested a 45 minute delay before shutting down the electronic medical record system (EMRS)
in order to process the morning lab draw specimens.

At 7:00 AM, the EMRS was shut down from the server.

At 6:30 AM, RN 5 spoke to the Chief Nursing Officer (CNO) and then notified the Regional Chief Executive Officer (RCEO) and Chief Medical Officer (CMO).

At 9:15 AM, A the decision was made to go on CT diversion (unable to perform CT scans) due to the delay in getting the CT results read.


At 10:00 AM, The California Department of Public Health (CDPH) was notified by the [name of hospital] Nursing Administration that the facility was on internal disaster (ID) due to a cyber-attack.

At 2:15 PM, RN 5 spoke to IT with a concern about no phone numbers programmed into the fax machine and having to manually input numbers into the fax machine before they could send documents.

At 3:00 PM, incomplete discharge instructions were found and 21 discharge instructions were missing.


On Sunday March 20, 2016 the time line indicated:

At 8:30 AM, five IT's arrived from the [name of hospital] corporate office who started scrubbing (overriding an entire computer system) the personnel computers. The facility was told this process would take 10 to 12 hours.

At 1:49 PM, the admitting department reported they are having problems with the wireless personnel computers brought to them for use.

At 5:15 PM, the facility spoke to the ITD. He stated the personnel computers wouldn't be completely scrubbed (overriding the entire computer system) until late evening, or into the early morning of March 21, 2016. It was unknown when the EMRS computer program would be brought back on line.

Monday, March 21, 2016 at 8:30 AM, a meeting was held with the management team and it was determined all personnel computers will remain disconnected from the computer servers...all patient care systems were slow due to the manual process.


During a review of the facility document titled "Downtime" undated, provided by the IDT, on April 25, 2016 it indicated the following:


On March 19, 2016 the facility computer system was shutdown at 7:00 AM. The workstation computers were physically unplugged from the network.

On March 20, 2016 the facility computer systems were still off.

On March 21, 2016 Installation of security software continued

On March 22, 2016 imaging of the Hospital workstations continued.

On March 23, 2016 additional software is needed to be installed on workstations.

On March 24, 2016 the facility electronic health record system was back online at approximately 2:10 PM.

A review of the facility document titled "Status of Systems" undated, provided by the IDT, on April 25, 2016, it indicated the following:

Cardiopulmonary Department (affecting the heart and lungs): [brand name of a software tool] that merges information from multiple sources requires an upgrade to support the anti-virus and security software. Expected delivery and installation to occur the week of May 5, 2016.


Radiology Department: There are changes required for the security software on the portable x-ray machine to accommodate the workflow.


During an interview with the Chief Nursing Officer, on April 25, 2016 at 3:55 PM, he stated "not all systems are up and running yet..."


During an interview with the Pharmacist, on April 25, 2016 at 4:20 PM, he stated "They kept their electronic health record system running until 7:00 AM, on Saturday...the IDT made the decision to keep the electronic medical record system running until 7:00 AM."

During an interview with the Regional Chief Executive Officer (RCEO), on April 28, 2016 at 2:10 PM, he stated the malware functionality of work station system was taken away.

During an interview with the Chief of Police, for the city of Chino, on April 28, 2016 at 2:15 PM, she stated they have not found who the perpetrator is and they are still working with the Federal Bureau of Investigation (FBI).

During an interview with the President/Chief Medical Officer (CMO), on April 28, at 2:21 PM, he stated "they realize their nurses don't have experience in writing medication on paper...the downtime forms (documents used when the computer system is down) worked for two hours, and then it did not work for three weeks."

2. During an interview with the IDT on April 25, 2016 at 8:30 AM, he stated policies were not developed for the facilities antiviral system. The two new antiviral backup systems were placed after the cyber-attack incident.

During an interview with the President/Chief Medical Officer (CMO), on April 28, 2016 at 2:25 PM, he stated an e-mail was opened at [name of city] facility and the virus attack then spread to the other [name of hospital corporation] facilities.

During a review of the facility document titled "Hospital Risk Management - Assessment of Risk" dated 2016, it indicated "Cyber-attack on computer systems...Malware attack this year. Risk continues to be present for recurrence."

During a review of the document titled "Security Systems" provided by the ITD, undated, it indicated "...Changes were required in the Radiology department for the security software on the portable x-ray machines to accommodate workflow...changes were needed to the security software installed to allow them to function as required for the user workflow."

The facility policy and procedure titled "Security Policy, Information Systems" dated December 2015, indicated: "Virus protection must exist at network points where a potentially infected files enters, leaves or is stored throughout the network. Appropriate backup and recovery plans must be established for business applications. Access to backed-up information must be equal to or more restrictive than security measures taken to protect the original electronic information. Customers and users are accountable and responsible for establishing processes to back up their personal computers or as applicable, local servers contained within a department."


Despite the internal investigation conducted by [name of hospital] to determine the possibility of a breach of protected health information (for the patients who were seen and treated during the facility's cyber-attack event) the unknown information that may
have potentially been breached continues to compromise patient confidentiality and protected health related information.





















`