ABC 36 Exclusive: private health information leaked from UK HealthCare
LEXINGTON, Ky. (WTVQ)- When you go to the hospital, you probably just want to get better. You’re likely not thinking the private information you’re giving doctors may slip out.
Recently, some of that information made its way out of UK Hospital to someone who never should have seen it.
That’s how ABC 36 came across what should have been private medical records.
A doctor sent two emails to a list of about 60 people. At least one of those people has never had any role at the hospital, but all of a sudden she had access to private medical information that could be yours or your neighbors’.
ABC 36 has been careful not to spread the information, but we do want to show you some of it so you can see what kind of private details the doctor mistakenly sent.
Recently, a surgeon at UK Hospital sent ABC 36 news producer Morgan Henry two emails containing detailed information about patients at the hospital.
“When I saw it, I didn’t really know what to do,” Henry said.
She graduated from UK’s Journalism School more than a year ago, but her university email address still transfers messages to her personal account.
Even though Henry has never had anything to do with the hospital, in the emails, Morgan.Henry@uky.edu shows up in a long list of other UK email addresses that includes one with a similar name.
The emails list patients by last name and include personal, revealing information.
For one patient in the ICU, for example, the email says he has alcoholic cirrhosis, consulting doctors said nothing can be done, and his brother asked them to keep him comfortable.
For Morgan, it’s notes on a woman with Alzheimer’s that deeply affect her.
“…needs comfort care, but family not willing. She will die soon. Family does not want to talk…” Henry read from one of the emails.
It says right in the subject line “confidential”.
“There’s things you don’t want your family or friends to know,” Larry Charles Griffin, a patient at the hospital, said.
“My son is terminal. They’ve given him one to three weeks to live and I hope I’m not the family they’re referring to,” Cheri Powers said.
ABC 36 asked the hospital how this could have happened.
PR Director Kristi Willett didn’t grant our request for an interview, but sent this statement.
UK HEALTHCARE STATEMENT RE: EMAIL INCIDENT
Thank you for bringing the inadvertent sending of an email to our attention. Immediate action has been taken by UK HealthCare regarding this incident.
Protecting patient privacy is of the utmost importance and of the highest priority for UK HealthCare and we provide extensive training on our privacy policies and procedures to all employees. However, mistakes sometimes do occur. In such cases, UK HealthCare’s Corporate Compliance Office engages our standard procedures which are to investigate and mitigate each incident or occurrence.
In this specific case, an email with patient information was inadvertently sent to someone who was not intended to be included. This issue has been reported to the UK HealthCare privacy officer who began an investigation of the incident. The privacy officer will work to ensure that the email address recipient list is corrected and conduct a HIPAA (Health Insurance Portability and Accountability Act) breach risk analysis. Additionally, notification will be made to any patients as required by federal or state law.
The statement thanks ABC 36 for bringing the email to the staff’s attention.
It explains, UK HealthCare provides “…extensive training…however, mistakes sometimes do occur.”
“There’s definitely patient information involved and names attached to it, which qualifies for sure as a HIPAA breach,” Penn Law School Professor Allison K. Hoffman, a national expert on health care law and policy, said.
Hoffman says mistakes do happen. Based on its statement, though, she says the hospital is taking the correct legal steps by launching an investigation.
Morgan did get an email from UK HealthCare’s Chief Privacy Officer.
Dear Ms. Henry,
I received notification from our public relations that you inadvertently received an email from UK HealthCare with patient information in the email. I apologize that you received this email in error. Out of concern for our patients’ privacy, we would like to request that you delete the email to ensure no further copies are made. I also want to assure you that we will fully investigate the situation and notify patients if required by federal and state law. Protecting patient privacy is of the utmost importance and of the highest priority for UK HealthCare and we appreciate your assistance in resolving this matter.
What we don’t know from the statement, nor from this follow up email, is exactly how the mistake was made.
If it took ABC 36 pointing this out for UK to realize its mistake, could this have happened in the past?
“Part of what the hospital should be looking for now is was this just a slip of the hand on the keyboard and a one off kind of mistake or is this part of a culture where the privacy policies, practices, procedures,the security, safeguards are not sufficient?” Hoffman said.
According to the professor, that’s what would determine if there should be a policy change.
Why even use an email list, though? Why not implement a fool proof system? There’s some sensitive information that should never get out.
“They’re balancing the security protections and the systems they put in place against usability against good transfer of patients from one shift to the next against the cost of putting systems into place so I can’t say for sure if what they’ve done’s enough,” Hoffman said.
She says since fewer than 500 patients are involved the hospital’s privacy officer likely won’t even have to report this to the government’s Office for Civil Rights, OCR, until he submits an annual report.
Hoffman says there’s debate over how effective HIPAA even is at protecting patients’ privacy.
Any leak of your personal details probably seems unacceptable, but for the hospital, it could be minor.
It depends on how sensitive the information is and who sees it.
“If there’s a risk that you’re going to broadcast that information on the nightly news that’s a high risk and that’s something the hospital should really worry about and act immediately,” Hoffman said.
If the hospital considers the breach low-risk, Hoffman says it doesn’t even have to let patients know. A leak might seem low-risk until you’re the one involved.
“I would never do anything with the information, but someone else might,” Henry said.
Patient Larry Charles Griffin says it worries him.
“You know, as a carpenter, I always measure twice and cut one time. They should think twice before they even send something out like that,” he said.
“You come to the hospital trusting your family’s going to be taken care of and privacy. It would never occur to me that it was not private,” Powers said.
Information like this in the wrong hands could easily be abused.
It is interesting to note, soon after the surgeon sent the emails, ABC 36 called the hospital to see if the breach had any real effect. We gave the operator only the information we had: patient’s last name, area of the hospital they were in, and medical details.
Almost every time, we were connected to a patient room or the nurse’s station nearby.
We didn’t try to find any new information, but the details we had were enough to find the patient.
You can find information about your rights under HIPAA here.