Hepatitis Patients' Data ExposedReport: Philadelphia Department of Public Health Exposed Data on Website
The Philadelphia Department of Public Health inadvertently exposed on its website the records of thousands of hepatitis patients, according to a local news report.
The data exposure incident points to the need for better staff training, says Paul Hales, an independent HIPAA attorney. "Staff must be trained to protect health information privacy and properly supervised," he says. "Ultimately the fault lies with senior management and governing boards who are responsible for compliance within their organization."
The Philadelphia Inquirer reports that one of its reporters on Oct. 11 discovered the accessible health department data, which included reports of patients diagnosed with hepatitis B or C from 2013 to 2018.
"The reporter discovered the accessible data, which in one case included 23,000 individual records of new cases of hepatitis C," the newspaper reports.
The Inquirer said it notified the city's health department, which immediately removed the data from its website. The newspaper says it did not download or preserve the data. "Information included each patient's name, gender, date of birth, address and test results, and in some cases, Social Security numbers and notes by health providers," it reports.
It remains unclear how long the data was accessible or what led to it being exposed.
In a statement provided on Monday to Information Security Media Group, the Philadelphia department of public health says it was notified on Oct. 11 that personal health information was available for download on one of the departments webpages. "The information was removed immediately. Since that time, the health department had been working with the vendor and city officials to find out what data was potentially exposed, how many people's records were exposed, and what actions are required be done in response to the exposure," the statement says.
In the meantime, the health department is undergoing assessing all data available on the website to ensure no other personal information is available and reviewing data presentation policies to prevent other data exposure incidents, the statement says. "As we learn more about what happened and who was affected, we will take appropriate actions."
The Philadelphia mishap appears to have similarities to a number of other major healthcare data breaches involving misconfigured IT settings.
For instance, among some of the largest health data breaches posted so far this year to HHS' HIPAA Breach Reporting Tool website was an incident reported in April by Inmediata Health Group. In that incident, the Puerto Rico-based clearinghouse and cloud software services provider said a misconfigured webpage setting potentially exposed protected health information of 1.56 million individuals.
Also, in February, Seattle, Washington-based healthcare system UW Medicine reported to HHS an incident involving a database coding error that exposed PHI of more than 973,000 individuals to internet search engines.
Other Health Department Breaches
Several data breaches involving state government health agencies have been reported to the U.S. Department of Health and Human Services over the years.
Those include a 2014 incident reported by the Montana Department of Public Health and Human Services that affected more than 1.3 million individuals.
And earlier this year, the Alaska Department of Health and Social Services said it was notifying more than 700,000 individuals of a 2018 incident that was initially reported to federal regulators as affecting only 501 individuals.
Sensitive Data Exposures
Like the breach of hepatitis patients' data in Philadelphia, many other health data breaches have involved exposure of particularly sensitive data.
For instance, health insurer Aetna has paid several financial settlements related to a mailing envelop incident in 2017 that revealed HIV-related drug information of about 12,000 health plan members.
A multistate investigation by the attorneys general of several states ended last year with Aetna signing a financial settlement agreement with Washington, D.C., for $175,000, Connecticut for $100,000 and New Jersey for $365,000, as well as a settlement with the state of Washington, for which the amount was undisclosed.
Those settlements were in addition to a separate $1.15 million settlement Aetna signed with the New York state attorney general's office last year, and also a $1 million settlement earlier this year with the attorney general of California.
On top of those settlements, in 2018 Aetna also signed a $17.2 million settlement of a class action lawsuit filed against the company related to that HIV data breach.