Mass email by Dent Neurologic inadvertently breaches privacy of 10, 200 patients

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.buffalonews.com/apps/pbcs.dll/article?AID=/20130514/CITYANDREGION/130519516/1003

Confidential information about more than 10,200 patients of Dent
Neurologic Institute was inadvertently sent to more than 200 patients
Monday in an email attachment.

The personal information – including patients’ names and home
addresses, their doctors’ names, last appointment dates and their
email addresses – was contained on an Excel patient spreadsheet.

The data does not include specific information about the patients’
medical conditions, birth dates or Social Security numbers, according
to Dent, which attributed the privacy breach to “human error.”

“The list was mistakenly attached to a routine email that was being
sent to patients by a clerk in the DNI administrative office,” Dent
said Tuesday in a statement.

“We are very sorry this happened, and we deeply apologize to all of
our patients, referring physicians and WNY health care partners,” Dent
CEO Joseph V. Fritz said in the same news release. “Patient
confidentiality is extremely important in our field, and we take it
very seriously, and we will review how this accident happened so we
can take steps to minimize the possibilities it could ever happen
again. This is an inexcusable event.”

Dent officials did not respond to requests to comment further. The
institute said that by Tuesday afternoon it had contacted all of the
200 patients who received the email and asked them to delete the
message.

Not every patient of the institute was listed on the spreadsheet.
However, some patients whose information was included remain upset by
the breach of privacy.

“I’m on there, and my daughter is on there, and I know other people on
there,” said Kelly J. Asher, a health and wellness coordinator with
Erie County’s Senior Services, who received the email and is in the
database.

“When I opened the attachment and realized the plethora of personal
information that was carelessly sent out by the Dent Institute, I was
very disturbed,” Asher added.

“I also must question the intent of the email, and I’m not sure I buy
the explanation of the incident given by Dent. This list would
certainly be helpful for a business trying to directly market a
product to a targeted group of patients.”

Several Dent patients contacted for this article said they were
learning about the release of their information from a reporter.

“The scary thing is, The Buffalo News knows about this and I don’t,”
said Ross T. Runfola Jr., a member services supervisor for health
insurance provider Fidelis Care.

Runfola said he’s also worried that identity thieves could get their
hands on this data.

“It’s amazing what you can do with a little information,” said
Runfola, who only recently started going to Dent.

Asher and Runfola view the release of the patient data as a violation
of HIPAA, the Health Insurance Portability and Accountability Act,
which protects patient privacy.

A breach of HIPAA is “an impermissible use or disclosure … that
compromises the security or privacy of the protected health
information that … poses a significant risk of financial, reputational
or other harm to the affected individual,” according to the federal
Department of Health and Human Services.

“It certainly seems to fall within the general definition of
‘individually identifiable health information.’ That’s the magic
phrase from the privacy rule,” said Anthony H. Szczygiel, a University
at Buffalo law professor and director of the Law School’s William and
Mary Foster Elder Law Clinic.

An institution that violates HIPAA could face civil or criminal
penalties, but these are issued only for the most serious and
malicious misconduct, said Szczygiel, who teaches an introductory
course on health law.

Even if this data release doesn’t violate HIPAA, he added, “I would
think this violated institutional policies, so I think some heads
would roll for that.”

The act also requires any companies involved in the breach to notify
media and affected individuals.

According to Dent, it has already notified the state Department of
Health and will send a letter of notification and apology to all the
patients involved in the breach.

Dent officials did not say what, if any, safeguards they plan to put
in place to prevent a future breach.

The accidental release of the database follows another recent misfire
by Dent in which all the institute’s patients received letters by mail
that were intended only for those with Catholic Medical Partners
physicians, causing confusion among those with other doctors.

In a response at that time, Fritz wrote on the institute’s website:
“These letters were distributed to our entire patient database rather
than just those patients currently under the CMP program. Many
patients are now questioning why we moved away from Kaleida, etc., and
are concerned their insurance will no longer cover them. … Frankly, it
was an unfortunate mistake that these letters were sent to our entire
patient population, and we sincerely apologize for creating this
confusion.”

Dent Neurologic treats patients of all ages for such conditions as
concussions, headaches, dizziness and sleep problems, as well as those
with multiple sclerosis, epilepsy and memory disorders. It has offices
in Amherst, Orchard Park, Derby and Batavia.

Dent patients who have questions about the email incident can call the
institute at 250-2000.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.