William Wells arrived at the emergency room at St. Mary Medical Center in Long Beach on April 9 mortally wounded. The 60-year-old had been stabbed more than a dozen times by a fellow nursing home resident, his throat slashed so savagely he was almost decapitated.
Instead of focusing on treating him, an employee said, St. Mary nurses and other hospital staff did the unthinkable: They snapped photos of the dying man and posted them on Facebook.
Four staff members were fired and three disciplined, according to a St. Mary spokeswoman. At least two nurses were involved, but none was fired, a union spokesman said.
Hospital officials in California and elsewhere have faced an uneasy relationship with Facebook and other forms of social networking. Managers, struggling to prevent staffers from posting patient information on the sites, have developed no-tolerance policies and blocked employees from using Facebook and similar websites at work. The restrictions are being enforced as hospitals tout such sites as a way to boost their images and reach more patients.
Shoring up patient privacy is particularly important for hospitals, including Cedars-Sinai Medical Center, Kaiser Permanente Bellflower Medical Center and Ronald Reagan UCLA Medical Center in Southern California, that have faced investigations in recent years after employees improperly accessed patient records, including some for celebrity patients.
"It's bad enough if it's an unauthorized person checking something for curiosity's sake. It's another thing to have that then broadcast to dozens or even hundreds of people if not the Internet itself," said Anthony Wright, executive director of Health Access, a Sacramento-based patient advocacy group. "People have an expectation of privacy."
In June, five nurses were fired at Tri-City Medical Center in Oceanside after hospital managers discovered they had been discussing patients on Facebook. Hospital officials reported the incident to the California Department of Public Health, according to hospital spokeswoman Courtney Berlin. The department is investigating, a spokesman said.
Last month, Tri-City required employees to sign a new social media agreement concerning such sites as MySpace, Zoho and Eventful, among others, that noted, "Even if the patient is not identified by name or by the medical record number the information you disclose may identify that patient."
Tri-City officials would not disclose what the nurses wrote on Facebook.
The nurses have appealed their firings, insisting they did not violate patient privacy, according to Chuck Idelson, a spokesman for California Nurses Assn., which represents the nurses. Idelson also declined to say what the nurses wrote that led to the dismissals.
Three year ago, Tri-City officials fired five nurses and five staff members for taking cellphone photos of a suicidal patient and patient X-rays.
In the incident at St. Mary Medical Center, nurses and staff posted a photograph of Wells on their public Facebook accounts for about two days before fellow staffers reported them to hospital officials, according to an employee who saw the photo and Facebook posts. Hospital staffers also circulated the photo in text messages, said the employee, who asked not to be identified for fear of being fired.
Hospital spokeswoman Daa'iyah Jordan confirmed that staffers posted a photograph of a patient online, but would not identify the staffers or patient or say where the photo was posted. She said hospital officials notified the patient's family and regulators at the California Department of Public Health.
The department is investigating that incident, along with eight other potential breaches of patient information at the hospital this year, according to Ralph Montano, a department spokesman.
Facebook spokesman Simon Axten said he could not confirm when the photo was posted or removed, citing the company's confidentiality policy.
Wells died soon after the photo was taken, his suspected attacker was arrested and his death ruled a homicide, according to an autopsy report. His death is being investigated by Long Beach police and the California Department of Social Services, according to the department's spokeswoman, Lizelda Lopez. His relatives declined to comment.
Nurses often use their own Facebook pages and other social networking sites to trade information, seek advice and vent, according to Idelson, the union spokesman. He said he believes it is rare for nurses to post unauthorized patient photographs. He said union officials urge nurses never to post patient-related information online, calling sites intended for social networking "an open book."
"People may think they're protected so that what they post can only be seen by a friend or family member, but life has proved otherwise," Idelson said.
Rebekah Child, a registered nurse at Cedars-Sinai's emergency room, blogs for http://www.scrubsmag.com and said she knows many nurses who write about patients on Facebook, some while they are working.
"I've seen nurses say, 'The patient in bed nine' and somebody could figure out who they're speaking about, or, 'This patient came in with a heart attack,' " she said.
Many hospitals are adopting no-tolerance policies for the release of patient information online, which covers everything from patient names to seemingly innocuous details such as weight. Los Angeles County's Department of Health Services, for example, requires employees to sign an agreement that they will not release patient information through any non-county website.
"If you're giving any data about a patient at all, you've breached the privacy," said Pam Lane, vice president of health informatics with the California Hospital Assn. "People are doing it and they are losing their jobs."
The state does not track online breaches of patient privacy separately from other breaches.
So far this year, 686 breaches of patient privacy have been reported at hospitals statewide and substantiated by investigators at the California Department of Public Health, including four by healthcare workers, Montano said.
Last year, 1,407 such breaches were substantiated, including 18 by healthcare workers, he said.
He said the department has issued eight fines for such privacy breaches totaling more than $1.1 million since two state laws governing patient privacy took effect last year.
News of the Facebook posting at St. Mary coincided with the hospital's launch of a massive online marketing campaign last month that will include a new Facebook page, Twitter account and appearances by doctors on YouTube.
It joins 49 other hospitals statewide with a presence on YouTube, Facebook, Twitter or blogs, a fraction of the state's 425 hospitals but more than in any other state except New York, according to Ed Bennett, director of Web strategy at University of Maryland Medical System. The group has grown to include hospitals in every state, 744 as of last month, Bennett said, about 15% of the nation's hospitals.
Bennett has tracked the rise of social networking among hospitals on his blog for the last two years, as the interactive world increasingly caters to the healthcare industry. For instance, the Technology, Entertainment and Design (TED) talks added a TEDMED conference in San Diego and Austin's SXSW Interactive Festival added Health 2.0 panel.
He said officials at many of the nation's leading hospitals, including the Mayo Clinic and Cleveland Clinic, are attempting to safeguard patient privacy as they expand their presence on social networking sites by raising awareness among staffers about how privacy protections such as the Health Insurance Portability and Accountability Act apply online.
"We already have guidelines; social media is simply another form of communication. It's no different from e-mail or talking to someone in an elevator," Bennett said. "The safe advice is to assume anything you put out on a social media site has the potential to be public."