by Michael J. Sacopulos, JD (General Counsel Medical Justice / Dental Justice)
Porn Stars Deserve Privacy, Too
Every day seems to bring word of new healthcare privacy breaches. A physician’s laptop goes missing in Illinois. A practice’s system is hacked in Maryland. Old patients’ charts turn up in a landfill in Ohio. Some of these breaches are not only frightening in terms of their ramifications, but they come across like plots of crime shows on TV. Here are some of the dramatic examples.
Porn Star HIV Test Database Leaked
Although porn stars are not typically known for their privacy concerns, they do often use stage names to keep their true identities confidential. In 2011, however, their personal lives were broadcast for the world to see, when medical test results and personal details about thousands of current and former porn performers were leaked.[1]
The patient database of the private health clinic that conducts sexually transmitted disease (STD) tests for California’s porn industry was hacked. Porn Wikileaks, a Website that owns up to its name, posted a list of what it claimed were the real names of more than 15,000 performers, both past and present. That 15,000 was a very significant number, considering that there were only about 1200 to 1500 performers working at the time. This leak “outed” the stars to any curious Web surfer, causing an uproar in the industry…or so I am told.
Many of the names came from the database of the Adult Industry Medical Health Care Foundation (AIM), which has since closed. AIM conducted the majority of STD tests for the porn industry, and currently working performers got tested at least once every 28 days. Several porn performers said that the information on Porn Wikileaks must have come from AIM’s database because they had only used the stage names that were posted on Porn Wikileaks once, and that was when they had registered for testing at AIM.
Not only were real names leaked onto the site, but many entries also included the performers’ addresses, family members’ information, copies of state identification, and even Google Maps pictures of their homes.
Blatant Misuse of Private Health Information to Make a Pass at a Customer
A Canadian pharmacist vastly overstepped his boundaries with patient data by using a patient’s information to try to build a relationship with her on Facebook, reports Canadian Privacy Commissioner Jill Clayton. Clayton says that the Calgary pharmacist misused health information for personal purposes when he called the woman twice in 2012 after she filled prescriptions with him.[2] Apparently, his telephone efforts were unsuccessful. He next moved to the venue of social media, where he sent a friend request to her on Facebook.
In a news release, Commissioner Clayton stated that “health information systems are for health care, not matchmaking.” Clayton also rebuked Amani Pharmacy for not training the pharmacist properly in how to treat personal information.
Amani Pharmacy has been ordered to review its training and security systems. The pharmacist, whose identity was not disclosed, is no longer working at the pharmacy.
Situations such as this may be avoided by using a 4-step approach. First, have policies in place that mandate strict confidentiality. Next, train staff on those policies. Step 3, trust but verify: With a minimal amount of effort, you can check to see whether electronic information is being inappropriately accessed. Finally, impose accountability. If you find a policy violation, the employee should receive some degree of discipline for that violation.
Prostitute Takes Laptop, Psychologist Loses License
Dr. Sunil Kakar, a Gig Harbor, Washington, psychologist, had his license suspended after a prostitute stole his laptop.[3] The computer contained private information from 652 patients whom Dr. Kakar had seen via contracts with the Department of Social and Health Services.
On Valentine’s Day, 2013, Dr. Kakar found himself filing a police report with the Gig Harbor police department. According to the report, someone stole his laptop from his unlocked vehicle. He stated that the incident could have happened over the previous 2 weeks, but he did not notice his laptop was missing until that morning. This tale of fiction soon unraveled.
Later, Dr. Kakar revealed to police that he had met someone by the name of Ivy on the dating Website T&A in mid-January. The two began texting back and forth, and on January 20, Ivy came to Dr. Kakar’s home, where sexual relations were exchanged for $450. Then, on January 25, Dr. Kakar met Ivy for dinner and had sexual relations afterward, but he did not give her any money.
Finally, on the 28th, they had another date. Dr. Kakar stopped at an ATM with Ivy, but he had insufficient funds. This news did not sit well with Ivy.
Dr. Kakar admitted to police that he left his laptop with Ivy, as a token of goodwill for not paying her on the 25th. He got the laptop back from her on the 29th, and the two met up for dinner on the 30th. Dr. Kakar met with Ivy on February 2 and stopped at the ATM — which again displayed that he had insufficient funds.
Dr. Kakar’s laptop was in his vehicle, and this is when he believes Ivy took it from him. He confronted her about the missing laptop, but she denied all accusations. Then. on February 11, he called her for sex and paid her $200. Afterwards, she told him she had forgotten something in her car and left. That was the last time Dr. Kakar ever laid eyes on Ivy.
This brings us back to the morning of Valentine’s Day, where Dr. Kakar alerted police to the missing laptop. Because the computer had been registered with Apple, police were able to track it via the serial number with incoming items at local pawn shops. Police were able to recover the laptop from a Cash America store. Store records showed that it had been pawned by Teyana Dorsey — aka Ivy. When police turned on the laptop, they discovered that the username had been changed to T. Dorsey, with no password. The laptop immediately accessed Dr. Kakar’s emails, which contained personal and sensitive data.
Dr. Kakar sent out a letter apologizing to his clients, in which he wrote, “I am extremely sorry for this situation and understand it may cause concern, embarrassment and inconvenience…I take client confidentiality very seriously.”
Lesson for doctors: As more and more professionals are switching from desktop computers to laptops and tablets, these devices need to be protected in case of theft or loss. Access to a computer should only be granted through a strong password. In addition, email should be locked in an encrypted fashion. Finally, your personal device should be set to lock-out after a short period, to prevent curious passersby from logging on.
Private Pharmacy Records Get Ex-boyfriend and Employee in Big Trouble
When Abigail Hinchy received a text message from her ex-boyfriend one night, she was anything but happy to read it. The ex-boyfriend and father of her child, Davion Peterson, informed Hinchy that he was looking at a printout of her pharmacy records. Peterson tried to use Hinchy’s pharmaceutical records to blackmail her into not seeking child support for their child.[4]
Hinchy was shocked that Peterson somehow gained access to such personal information. She immediately called the local Walgreens pharmacy where she gets her prescriptions filled. Hinchy’s lawyer, Neal F. Eggeson, stated that Hinchy contacted the pharmacy, saying, “I believe there has been a privacy breach here. Can somebody check to make sure my records are secure?”
Later, Hinchy discovered that Peterson was married to a pharmacist at that Walgreens store. She then contacted Walgreens a second time, informing them that she believed that their pharmacist, Audra Peterson, was involved in this breach of healthcare information.
After an investigation, Audra Peterson confessed to providing her husband with Hinchy’s prescription profile, says Eggeson. Walgreens responded with a final written warning, which in essence is just a note in the personnel file. The company commented on their decided disciplinary action, saying, “We take seriously our responsibility to safeguard the privacy of medical records in our possession. The pharmacist in this case admitted she was aware of our strict policy and knew she was violating it. She was appropriately disciplined for her action.”
Eggeson said an expert testified that Walgreens should have a mechanism in place for tracking recent profile access. Walgreens called such precautions impractical, stating that it simply does not have the ability to do something like that.
Although the Health Insurance Portability and Accountability Act (HIPAA) does not create a private cause of action, it can still play an important role in private causes of action in state court, as in Hinchy’s trial. Eggeson’s client filed suit against both the pharmacist and Walgreens, claiming that both had breached their common and statutory law duties of confidentiality and privacy. Walgreens was negligent in supervising and training Peterson, Eggeson believed. Walgreens stated, “We believe it is a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.”
Eggeson said that on the basis of the facts of the case, his client suffered an invasion of privacy, emotional harm, and emotional anguish, for which he asked the jury to compensate Hinchy. And compensate they did: The jury clearly agreed that Walgreens hadn’t done enough internally to prevent Peterson from going through patient files.
On July 26, 2013, the jury awarded damages of $1.8 million. This was reduced by a suggested 20%, because this amount of the damage was said to have actually been caused by the ex-boyfriend, who was not an employee of Walgreens. “It seems pretty clear that the jury concluded that the ex-boyfriend was the impetus behind all of this,” Eggeson noted. “He probably convinced his wife to go into the prescription profile and print off the information for him. He really was the catalyst.” A Marion County, Indiana, jury awarded Hinchy $1.44 million for her damages.
Takeaway Lessons
Patient privacy breaches can happen in an infinite variety of bizarre ways. Colleagues and employees sometimes display poor judgment when handling patient data. Better procedures and more training help to reduce breaches. Unfortunately, some breaches will continue to occur simply because people are naughty at times.
However, by having official and documentable programs in place to teach employees about respecting data privacy, and by having penalties for staff members who breach those rules, you will help to protect yourself in the event that data breaches occur, and you will also protect your patients.
Michael J. Sacopulos serves as General Counsel of Medical Justice and Dental Justice. He is the CEO of Medical Risk Institute (MRI). MRI provides proactive counsel to the healthcare community to identify where liability risks originate, and to reduce or remove these risks. Sacopulos won the 2012 Edward B. Stevens Article of the Year Award for MGMA. He has written for Wall Street Journal, Forbes, Bloomberg, and many publications for the medical profession and is a frequent national speaker. Sacopulos attended Harvard College, London School of Economics, and Indiana University Robert H. McKinney School of Law. He may be reached at msacopulos@medriskinstitute.com
References
- Adams G. Adult industry enraged as ‘Porn Wikileaks’ gives stars’ real names. The Independent. April 1, 2011 http://www.independent.co.uk/life-style/love-sex/sex-industry/adult-industry-enraged-as-porn-wikileaks-gives-stars-real-names-2258874.html Accessed February 2, 2014.
- Pharmacist’s Facebook request broke Alberta’s health rules. CBC News Calgary. December 17, 2013. http://www.cbc.ca/news/canada/calgary/pharmacist-s-facebook-request-broke-alberta-s-health-rules-1.2467552 Accessed February 2, 2014.
- McCarty K. Gig Harbor psychologist’s laptop with client records stolen by prostitute. kirotv.com. October 14, 2013. http://www.kirotv.com/news/news/gig-harbor-psychologists-laptop-client-records-sto/nbNX6/ Accessed January 28, 2014.
- Ouellette P. Will Walgreens breach ruling affect future HIPAA violations? HealthIT Security. August 13, 2013. http://healthitsecurity.com/2013/08/13/will-walgreens-breach-ruling-affect-future-hipaa-violations/ Accessed January 4, 2014.
It is my feeling that the HIPPA issues have gone way too far with potential legal action in many situations. I was brought up before a hospital cabinet meeting for violating HIPPA when visiting a patient in the hospital. The hospital claimed I did not have a doctor-patient relationship with the patient and a “investigation” ensued. As it turned out, after being threatened by the hospital medical staff, I did have a doctor-patient relationship, which I had to prove and the issue was dropped. Another time, at the same hospital, I did not properly log off a computer after being assisted with some orders by the IT person at the hospital. I did not know it was a two step process to log off. After I left the computer station someone else sat down and began searching patient files. A week later I received a letter from the hospital asking why I had searched the files and what information I obtained. They only reason I was not kicked off the staff of the hospital for such a infraction was the fact that I was accessing another part of the hospital with my ID badge at the same time someone else was looking into patient files on my log in. Effectively docs are in violation of the HIPPA laws if we text another doc with any patient information or send e-mails with any patient information. Although there are times when HIPPA issues are very important, the penalties are often way too heavy and this issue has gone viral.
We exclusively use paper charts in our practice to protect patient confidentiality, and for many other reasons. CMS mandates EHR, and this is one of the reasons we decided to opt-out of Medicare, and offer a senior-citizen “discount” for our medical services.
Have you noticed that you see an increasing number of your email contacts “hacked and spammed”? As far as I’m concerned, anything put electronically on the web should be considered public information. Caveat emptor.
Eric