A communications official at Northern Light Acadia Hospital in Bangor mistakenly emailed the confidential names of 300 patients with prescriptions for Suboxone, a medication used to treat opioid use disorder, to an editor at the Bangor Daily News last week.
In addition to their names, the list also contained the identities of the patients’ medical providers, all of which is protected under federal privacy laws that prohibit health care organizations from disclosing personal patient information to the public without permission. Disclosing that a person takes Suboxone effectively outs him or her for seeking treatment for opioid addiction.
In this case, Acadia’s director of communications, Alan Comeau, forwarded an email containing the spreadsheet with patient names to Erin Rhoda, the BDN’s investigations editor, who did not share the names with anyone. The BDN destroyed the file. Comeau also copied two Northern Light Health communications staff on the email.
Upon realizing the error and conducting an internal investigation, Acadia’s president, Scott Oxley, determined that the misfired email was an “isolated” accident that resulted from human error, not a systemic problem with how the hospital secures confidential patient information.
The blunder reflects the ongoing vulnerability of sensitive patient information in a digital age, even with rules in place to secure its privacy. It could lead to an audit of the hospital’s privacy and security protocols, and expose it to lawsuits from affected patients. Acadia is required to report the incident to federal regulators.
“For us, this is a huge deal. Three hundred names were shared unintentionally. They were shared nonetheless. This never should have happened,” Oxley said in an interview on Wednesday, a week after the hospital erroneously emailed the list.
“We’re not making any excuses for this, but we don’t classify this mistake as a systematic issue,” he said, saying that other than accidentally sending the email to the BDN, the hospital did not find any other violations of federal compliance laws.
Still, Oxley said, Acadia is working with its information technology department to install measures that ensure confidential electronic information doesn’t unintentionally leave the hospital again. And in the meantime, the hospital plans to notify the patients who were affected by the release and to take immediate steps to regain their trust, he said. Anyone with questions can call the hospital on its dedicated assistance line at (207) 973-6048.
Medical records that pertain to sensitive and often stigmatized diagnoses, such as a substance use disorder, are subject to confidentiality rules that go beyond the standard federal laws that govern patient privacy. That’s because the fear of disclosing one’s struggle with addiction, which can incite shame and discrimination, can prevent people from seeking treatment.
“There’s a lot of stigma around just coming to Acadia, period, no matter what you’re coming for,” said Patricia Hofmaster, Acadia’s director of privacy and the hospital’s compliance officer. “We don’t want to cause people not to come here. I mean, that’s one of our concerns that this happened and that we’re going to be telling people this happened. We want to mitigate people not coming forward and getting help.”
Acadia Hospital is one of nine hospitals belonging to the Northern Light health care system, and provides both inpatient and community-based psychiatric care and substance use treatment programs at its Stillwater Avenue location.
On Friday, April 5, Rhoda, with the BDN, reached out to a spokesperson for Northern Light to request information for a story about the availability of Suboxone in the Bangor region. She wanted to know the aggregate number of patients receiving the medication between 2015 and 2018, as well as the number of Northern Light providers licensed to prescribe it.
Suboxone, the brand name for an oral medication that contains buprenorphine and naloxone, helps reduce cravings and withdrawal symptoms from opioid use disorder, a disease that claims an average of one life a day in Maine, and helps patients maintain long-term recovery.
In response to the request, Comeau, Acadia’s director of communications, forwarded Rhoda a chain of emails he had exchanged with Doug Townsend, the hospital’s associate vice president for adult services and a licensed clinical professional counselor.
“Here is the data for our scripts since 2015,” Townsend wrote to Comeau on April 10. “I assume you want this year by year. This report is the aggregate of those years. Total number is 737. April Brown Lloyd [a senior clinical operations analyst with Northern Light Health, is] working on trying to get the data by year.”
The email exchange from Townsend also contained an attached spreadsheet, titled “Suboxone Patient Report for Doug 2015-2018 (2).xlsx.” But the spreadsheet — which Comeau did not read, Oxley later said — had the names of 300 people who had received prescriptions for Suboxone, as well as their direct providers.
“Thanks for this,” Comeau replied to Townsend. “I will send this data, as well as the other data you sent, to the reporter.”
Rhoda reached Comeau over the phone Thursday morning, April 11, to let him know of his mistake. The hospital immediately began an internal risk assessment to determine the scope of the disclosure and determined that Rhoda was the only person to see the information who was not authorized to do so, Oxley said.
“Fortunately, the magnitude of the error, in terms of its visibility, is very minimal, [limited] to one person,” Oxley said.
Under the Health Insurance Portability and Accountability Act, or HIPAA, the names of patients and their medical records are confidential and cannot be disclosed without permission. (Maine law also protects the confidentiality of medical records.)
Another federal law, referred to as 42 CFR Part 2, requires hospitals to take additional steps to get permission from a patient to share information regarding treatment for a substance use disorder. Both laws in play allow hospital staff to share patient information internally in order to perform essential functions, such as treatment, billing and scheduling, described broadly as “hospital operations.” The intent of CFR Part 2 in particular is to limit the spread of sensitive information to times it’s absolutely necessary.
Oxley said the hospital’s protocols are in compliance with federal law. Acadia declined to share its internal written policies with the BDN, but it outlines the general policy on its website. As the hospital’s communications director, Comeau was authorized to see the contents of the misfired spreadsheet.
“I think the idea that the people that are charged with taking care of people with such a sensitive condition would send this [information] to a PR person is extremely bad judgment and extremely insensitive,” said Dr. Deborah Peel, an Austin-based psychiatrist and the founder of Patient Privacy Rights, a national patient privacy advocacy organization.
The spreadsheet was an “internal document” that was created by hospital staff in order to fulfill Rhoda’s information request by pulling what is usually encrypted patient records from secure electronic systems and placing them in the non-encrypted spreadsheet, Oxley said. Encrypted files are password protected and only accessible to people within the hospital.
“This was unusual. We don’t usually have files with lots of patient names floating around,” Hofmaster, Acadia’s compliance officer, said.
Where things went awry, Oxley said, was when Comeau accidentally sent the file to the BDN.
“We had an individual who didn’t follow protocols,” he said. “We’ve got good standards, good policies, good practices. We educate to the Nth degree. We’ve got good security around our technology. It was noncompliance with our standards.”
Still, Oxley said, the hospital will explore ways to avoid repeating the mistake.
“We’re going to have to pick up the pace around education and try to find alternative levels of security, heightened levels of security from an IT perspective to prevent this from happening again,” he said.
He declined to discuss how the hospital has followed up with Comeau, who could not be reached for comment.
The hospital’s protocols could come under outside scrutiny if the federal enforcement agency that oversees HIPAA, the Office for Civil Rights with the U.S. Department of Health and Human Services, decides to investigate what happened after Acadia notifies it of the unauthorized disclosure, which it is required to do within 60 days of the end of the calendar year.
Depending on the findings of such an investigation, Acadia could be fined or required to make changes to its protocols that bring it into compliance with federal law. Affected patients are also able to file their own complaints, which they can do on the Department of Health and Human Services website within 180 days of the violation.
Patients don’t have the right to sue medical providers who disclose their HIPAA-protected information without permission, but they could still sue the hospital in state court over the general right of privacy, said Ezra Reinstein, a health care attorney based in Massachusetts.
Maine Focus is a journalism and community engagement initiative at the Bangor Daily News. Questions? Write to firstname.lastname@example.org.