The BDN Opinion section operates independently and does not set news policies or contribute to reporting or editing articles elsewhere in the newspaper or on bangordailynews.com
Jon Connor of Lewiston represents District 58 in the Maine House of Representatives.
It is hard to imagine a moment in someone’s life that is more sensitive and more private than the decision to seek help for addiction or suicidal behavior. That’s why it is especially appalling to learn that Maine’s Department of Health and Human Services carelessly placed confidential, personally identifiable information about patients receiving mental health and addiction treatment services on a publicly-accessible database, viewable by anyone with an internet connection.
When confronted with questions about this incident, the department’s response was particularly inappropriate. They patted themselves on the back for telling the truth about this incident and notifying the 20 patients impacted, pointing out that the department is “not required by law to make these notifications.”
Unbelievable. For an agency that just violated the vital trust that the public places in them, notification should certainly be a minimal expectation. Yet for a violation of this magnitude, more accountability is needed. Gov, Janet Mills and Commissioner Jeanne Lambrew must hold their department to a higher standard and rebuild trust after this disturbing breach.
First, Maine’s attorney general should review this incident and determine whether the rights of any Maine patients were violated as well as whether any actors in the department violated state or federal law. DHHS has said that their actions did not violate the Health Insurance Portability and Accountability Act, but there must be a fuller public accounting of how the exposure of this sensitive information to the public complied with all relevant laws and rules.
Commissioner Lambrew and her department must not sweep this under the rug, instead we must fully account for any mistakes or wrongdoing.
Second, we must conduct an independent review of the practices by which DHHS collects and stores personally identifiable information. Data breaches are all too common these days, and while it is unavoidable that there will be times when our agencies must be the custodian of confidential, personally identifiable information, the Legislature has a duty to ensure that such information is only collected and retained as rarely as possibly, only when vitally necessary, and secured to the greatest extent possible. This is why I have submitted legislation that would require an independent review of the department’s practices, and I hope the administration would welcome such an effort.
Third, Mills and Lambrew must take action to address the specific management failing that led to this incident. So far, the department has pledged “an additional layer of confidentiality protection,” without providing specific information on what practices they are changing in order to address this failing. Let’s be clear, this was not just a failure of process, it was also a human failing. There are employees or managers in the department who made decisions or failed to act, resulting in this violation of the public’s trust. In the private sector, this would result in discipline or termination. Accountability demands no different from the public sector.
In order to fulfill its mission, DHHS relies upon the trust and confidence of the Maine people. Recent events have revealed an appalling violation of that trust and we must all take swift action to ensure this never happens again.