The accidental disclosure of the names of 300 Suboxone patients by Northern Light Acadia Hospital to the Bangor Daily News earlier this month may not have approached the scale of high-profile data breaches that seem to often grab headlines. Nonetheless, it touched on how vulnerable personal information can be in a digital age.
Acadia, located in Bangor, has assured its patients that its error — caused by a communications official who accidentally emailed an unencrypted spreadsheet of patient names and their providers to a BDN editor without reading it first — was an isolated mistake. But such blunders are more common in the health care industry than people may think.
Here are three takeaways to consider and put the incident in context:
Human error is most often to blame.
Studies have found that human error, not outside hackers, is often behind the unauthorized disclosure of patient information.
Verizon’s 2018 Data Breach Investigations Report found that among the industries charged with protecting private personal information, health care was the only sector where employees were more likely to compromise the security of personal data than an external threat. The annual publication reviews data breaches and analyzes themes within industries.
The report reviewed 53,000 incidents where information was compromised, but not necessarily disclosed to an outside party, and 2,216 confirmed breaches to an unauthorized party. Those disclosures fell across nine industries, from education, to finance and insurance, to public administration. Notably, health care was the only sector where the majority of breaches and incidents were the result of “internal actors” making a mistake — similar to what happened with Acadia’s disclosure of Suboxone patient names.
Likewise, an analysis of health data breaches between 2009 and 2017 by researchers at the Johns Hopkins Carey Business School in Washington, D.C., last year found that more than half were “triggered by internal negligence and thus are to some extent preventable,” Reuters reported.
Quite often, the mistakes involve emails.
Emails are a common source of security mishaps within the health care industry, Reuters reported. Twenty-five percent of cases reviewed by the Carey Business School study linked the violation to “employee errors like mailing or emailing records to the wrong person, sending unencrypted data, taking records home or forwarding data to personal accounts or devices.”
That jibes with a conclusion from earlier this month by Internet Society’s Online Trust Alliance, a digital organization that promotes data privacy and security best practices, which ranked health care as the least trustworthy industry when it comes to properly securing consumer data “largely due to sparse adoption of email authentication and always-encrypted sessions.”
The Acadia disclosure began with the transfer of encrypted patient information into an unsecured spreadsheet attached at the bottom of a thread of emails. Health care organizations can prevent such mistakes by improving training and email encryption systems, the business school researchers suggested.
What about who gets to see patient information inside a hospital?
Health care organizations are only supposed to share a patient’s personal information when it’s necessary, according to federal health confidentiality laws, especially in cases that involve sensitive diagnoses, such as a substance use disorder or mental illness. The law allows organizations some flexibility to determine what is necessary, however.
Is it necessary for a communications employee to see which hospital patients have prescriptions for Suboxone, a medication used to treat opioid use disorder, in response to a general question from a reporter? According to Acadia, yes, that was an authorized part of Alan Comeau’s job as the hospital’s point-person on media requests. Though he didn’t read over the list of patients before he accidentally sent it to Erin Rhoda, the BDN’s investigations editor, he would have been allowed to, the hospital said. The BDN destroyed the file, and Rhoda did not share the names with anyone.
Still, it’s reasonable to assume that Acadia patients may not expect their sensitive information to be shared with the hospital’s public relations staff and that such policies test the bounds of the rule requiring only the “minimum necessary” disclosure. To that end the blunder not only raised questions about how the hospital handles secure information but also about how it interprets privacy.
“I think it’s also important to flag that that’s one of the reasons why there is this strong protection in place for substance use records under [federal law], because a lot of patients treated for substance use disorder would not feel comfortable with their records being shared with communications staff,” said Abigail Woodworth of the Legal Action Center, a New York-based legal advocacy organization.
Maine Focus is a journalism and community engagement initiative at the Bangor Daily News. Questions? Write to firstname.lastname@example.org.