Examples of Privacy Violations From Heath and Human Services Concerns about the lack of attention to information privacy in the health care industry are not merely theoretical. In the absence of a national legal framework of health privacy protections, consumers are increasingly vulnerable to the exposure of their personal health information. Disclosure of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security. Examples of recent privacy breaches include: The medical records of an Illinois woman were posted on the Internet without her knowledge or consent a few days after she was treated at St. Elizabeth's Medical Center following complications from an abortion at the Hope Clinic for Women. The woman has sued the hospital, alleging St. Elizabeth's released her medical records without her authorization to anti-abortion activists, who then posted the records online along with a photograph they had taken of her being transferred from the clinic to the hospital. The woman is also suing the anti-abortion activists for invading her privacy. (T. Hillig and J. Mannies, "Woman Sues Over Posting of Abortion Details," St. Louis Post-Dispatch, July 3, 2001, p. A1). After suffering a work-related injury to her wrist, Roni Breite authorized her insurance company to release information pertaining to her wrist ailment to her employer. When she had the opportunity to review her medical record, the file contained her entire medical history, including records on recent fertility treatment and pregnancy loss. (E. McCarthy, "Patients Voice Growing Concerns about Privacy," Sacramento Business Journal, April 5, 1999) A patient at Brigham and Women's Hospital in Boston learned that employees had accessed her medical record more than 200 times. (R. Mishra, "Confidential Medical Records Are Not Always Private," The Boston Globe, August 1, 2000, p. D1) Joan Kelly, an employee of Motorola, was automatically enrolled in a "depression program" by her employer after her prescription drugs management company reported that she was taking anti-depressants. (R. O'Harrow, "Plans' Access to Pharmacy Data Raises Privacy Issue," The Washington Post, September 27, 1998, p. A1) New York Congresswoman Nydia Velasquez's confidential medical records - including details of a bout with depression and a suicide attempt - were faxed from a New York hospital to a local newspaper and television station on the eve of her 1992 primary. After overcoming the fallout from this disclosure and winning the election, Rep. Velasquez testified eloquently about her experiences before the Senate Judiciary Committee as it was considering a health privacy proposal. (A. Rubin, "Records No Longer for Doctors' Eye Only," Los Angeles Times, September 1, 1998, p. A1) Country singer Tammy Wynette's medical records were sold to the National Enquirer and Star tabloids by a hospital employee for $2,610. William Cox's position at the hospital entitled him to authorized access to several medical record databases. He retrieved medical information about Wynette and faxed it to the tabloids without her consent. Last year Cox pleaded guilty to one count of wire fraud and was sentenced to six months in prison. ("Selling Singer's Files Gets Man Six Months," Houston Chronicle, December 2, 2000, p. A2) The 13-year-old daughter of a hospital employee took a list of patients' names and phone numbers from the hospital when visiting her mother at work. As a joke, she contacted patients and told them they were diagnosed with HIV. "Hospital Clerk's Child Allegedly Told Patients That They Had AIDS," The Washington Post, March 1, 1995, p. A17) The Harvard Community Health Plan, a Boston-based HMO, admitted to maintaining detailed notes of psychotherapy sessions in computer records that were accessible by all clinical employees. Following a series of press reports describing the system, the HMO revamped its computer security practices. (A. Bass, "HMO Puts Confidential Records On-Line; Critics Say Computer File-Keeping Breaches Privacy of Mental Health Patients," The Boston Globe, March 7, 1995, p. 1) In Tampa, a public health worker walked away with a computer disk containing the names of 4,000 people who tested positive for HIV. The disks were sent to two newspapers. (J. Bacon, "AIDS Confidentiality," USA Today, October 10, 1996, p. A1) A banker who also served on his county's health board cross-referenced customer accounts with patient information. He called due the mortgages of anyone suffering from cancer. (M. Lavelle, "Health Plan Debate Turning to Privacy: Some Call For Safeguards on Medical Disclosure. Is a Federal Law Necessary?" The National Law Journal, May 30, 1994, p. A1) Police of Wilson, Pennsylvania are investigating why medical records (including original copies of lab reports, drug reports and doctor's examination notes) from Easton Hospital were found on the streets of Allentown, PA. All of the records had patient names and many included addresses and phone numbers. A hospital official stated that an internal investigation revealed a suspect or suspects responsible. The results of this investigation are being made available to the police in Wilson. (D. Nerl and A. Wlazelek, "Patients' Privacy Breached," The Morning Call, August 8, 2002) About 400 pages of detailed psychological records concerning visits and diagnoses of at least 62 children and teenagers were accidentally posted on the University of Montana Web site for eight days. In most cases, the information included names, dates of birth and sometimes home addresses and schools attended with the results of the psychological tests. C. Piller, "Web Mishap: Kids' Psychological Files Posted," Los Angeles Times, November 7, 2001, p. A1) Eli Lilly and Co. inadvertently revealed over 600 patient e-mail addresses when it sent a message to every individual registered to receive reminders about taking Prozac. In the past, the e-mail messages were addressed to individuals. The message announcing the end of the reminder service, however, was addressed to all of the participants. (R. O'Harrow, "Prozac Maker Reveals Patient E-Mail Addresses," The Washington Post, July 4, 2001, p. E1) The FTC filed a complaint against Eli Lilly alleging that the unauthorized disclosure of personal information by the company was an "unfair or deceptive" act or practice in violation of Section 5(a) of the Federal Trade Commission Act. In January 2002, Eli Lilly settled the FTC charges against the company. It agreed to increase existing security and to create an internal program to prevent future privacy violations. No fine was involved in the settlement because the incident was unintentional. ("Lilly Privacy Violation Charges Are Settled," The New York Times, January 19, 2002, p. C3) The company also reached a similar settlement with attorneys general from eight states - CA, CT, ID, IA, MA, NJ, NY and VT. (T. Burton, "Lilly Reaches Accord with States in Privacy-Infringement Case," The Wall Street Journal, July 26, 2002) Several thousand patient records at the University of Michigan Medical Center inadvertently lingered on public Internet sites for two months. The problem was discovered when a student searching for information about a doctor was linked to files containing private patient records with numbers, job status, treatment for medical conditions and other data. ("Black Eye at the Medical Center," The Washington Post, February 22, 1999, p. F5) The medical records of about 20 patients of Providence Alaska Medical Center were accidentally posted on a Web site. (P. Porco, "Patients' Privacy Breached; Alaskans' Medical Records Put on Net," Anchorage Daily News, June 4, 2000) Confidential Medicaid records were disclosed during the sale of surplus equipment by the Arkansas Department of Human Services twice in six months. In October 2001, the state stopped the sale of the department's surplus computer storage drives when it was discovered that Medicaid records that were supposed to be erased were found on the computers. In April 2002, a man who bought a file cabinet from the department found the files of Medicaid clients in one of the cabinet's drawers. The files included Social Security numbers and birth dates. ("DHS Surplus Sales Again Reveal Confidential Information," Associated Press, April 3, 2002) Documents referring to over 125 psychiatric patients of Rapid City Regional Hospital were found in a convenience store trashcan by an editor of the Milwaukee Journal Sentinel. A University of South Dakota fourth year medical student had taken papers outside of the hospital and dumped them in the trash. The documents included lists of patients in the psychiatric unit and their diagnoses along with the student's handwritten notes about some of the patients. The University's faculty committee will be recommending discipline for the student. (C. Brokaw, "S. Dakota Investigates Psych Records," Associated Press, December 30, 2001) Thousands of medical records fell out of a vehicle and were blown throughout Mesa, Arizona. The records were being transported to be destroyed. ("Medical Records Fall Out of Vehicle, Blown Through Street," Associated Press, May 26, 2000) Two health care organizations in Washington State were found discarding medical reports in unlocked dumpsters. Among the information found by reporters were patient names, addresses, social security numbers, and detailed descriptions of sensitive medical procedures. (S. Salyer, "Patients' Records Found in Unsecured Dumpsters," The Daily Herald, June 18, 2000) Aetna health insurance claim forms blew out of a truck on the way to a recycling center and scattered on I-84 in East Hartford during the evening rush hour. Aetna, the nation's largest health insurer, quickly dispatched employees - some of them on the way home from work - to scoop up forms containing names and personal health information. The papers should have been shredded under company policy, but they were not. ("Careless Disposal of Records Imperils Privacy," The Hartford Courant, May 14, 1999) Intermountain Healthcare, a Utah-based health plan, recently took steps to recover patient medical files that were misplaced. IHC said that its Salt Lake Clinic had donated a file cabinet to Deseret Industries and did not know that some records and laboratory reports had accidentally slipped behind the drawers. (J. Constanzo, "IHC Sues over Misplaced Records," The Deseret News, December 2, 1998) Hundreds of patient records were found in the parking lot outside Scripps Clinic in California. Information included diagnosis, credit card information and test results. The records appeared to be from multiple health care sites. ("Patient Privacy Dumped in Trash," San Diego Union-Tribune, May 18, 1998) The chain drug stores CVS and Giant Food admitted to making patient prescription records available for use by a direct mail and pharmaceutical company. Their stated intent was to track customers who do not refill prescriptions and send them letters encouraging them to refill and consider alternative treatments. However, in response to the outrage and worry expressed by their customers, both companies subsequently advised their plans to abandon their marketing and direct mail campaigns. (R. O'Harrow, "Prescription Fear, Privacy Sales," The Washington Post, February 15, 1998, p. A1) An Orlando woman had her doctor perform some routine tests and received a letter weeks later from a drug company touting a treatment for her high cholesterol. ("Many Can Hear What You Tell Your Doctors: Records of Patients Are Not Kept Private," Orlando Sentinel, November 1997, p. A1) University of Minnesota researchers violated the confidentiality of organ donors when it mailed a survey to 1200 transplant recipients participating in a long-term research study and mistakenly revealed the names of those who had donated their kidney to the recipients. Although many recipients already knew the identity of their organ donor, more than 400 learned the name of their donor for the first time. A software upgrade was cited as the reason for the breach, apparently because it altered a feature that was supposed to suppress the donors' names. This is the second time within three months that computer problems at the University have led to the violation of patient confidentiality. In November 2001, a psychologist mistakenly posted the mental health records of 20 children on a public Web site. That breach is still being investigated. (J. Marcotty, "Names of Donors Are Accidentally Included in Letter to Kidney Patients," Minneapolis Star Tribune, January 15, 2002, p. 1A) Renee McIntosh is suing a San Francisco law firm that represents her employer, Safeway. McIntosh claims that the firm shared information - including a psychiatric evaluation - about her workers' compensation claim with a coworker. (K. Flaherty, "Litigation Privilege vs. Privacy Is Issue in Suit," American Lawyer Media, April 9, 1999, p. 2) In Doe v. Septa, Rite-Aid drug store in Pennsylvania provided to the state's transportation authority (SEPTA) information about the prescription drugs being taken by SEPTA's employees. In disclosing to SEPTA authorities that one of its employees was receiving AZT, Rite-Aid in effect disclosed the employee's HIV status. Prior to the disclosure, Doe's employers had assured him that although they were self-insured, no information regarding his prescription drugs or HIV status would be disclosed outside of the Medical Department. The court found no privacy violation stemming from this disclosure since Doe could not prove actual damages, and the employer was deemed to have legitimate interest in knowing the details of how its employees used the health plan. (Doe v. SEPTA, WL 76, 2891. (3d Cir. 1995) A Washington DC jury ordered a local hospital to pay $25,000 for failing to keep a patient's medical records confidential. Coworkers learned of the victim's HIV status after an employee at the Washington Hospital Center revealed information in his medical record. (P. Slevin, "Man Wins Suit Over Disclosure of HIV Status," The Washington Post, December 30, 1999, p. B4) In 1998, Longs Drugs in California settled a lawsuit filed by an HIV positive man. After a pharmacist inappropriately disclosed the man's condition to his ex-wife, the woman was able to use that information in a custody dispute. However, rather than pursue the suit against the pharmacy, the man chose to settle in order to avoid a court trial that could result in news coverage - and therefore further disclosure - of his illness. ("Longs Drugs Settles HIV Suit," San Diego Union-Tribune, September 10, 1998, p. A3) A man with AIDS won an out-of-court settlement with a Michigan pharmacy in 1998. A pharmacy clerk told Stanley Grzadzinski's children that he had AIDS. ("Settlement in Privacy Suit Against Drug Store; Children Allegedly Learned of Dad's AIDS from Son of a Pharmacy Clerk," Chicago Tribune, January 9, 1998, p. 10) A psychiatrist from New Hampshire was fined $1,000 for repeatedly looking at the medical records of an acquaintance without permission. Because there was no state law making it a crime to breach the confidentiality of medical records, the case was brought under a law against misusing a computer. ("Psychiatrist Convicted of Snooping in Records," The Associated Press State & Local Wire, May 5, 1999) A jury in Waukesha, Wisconsin, found that an emergency medical technician (EMT) invaded the privacy of an overdose patient when she told the patient's co-worker about the overdose. The co-worker then told nurses at West Allis Memorial Hospital, where both she and the patient were nurses. The EMT claimed that she called the patient's co-worker out of concern for the patient. The jury, however, found that regardless of her intentions, the EMT had no right to disclose confidential and sensitive medical information, and directed the EMT and her employer to pay $3,000 for the invasion of privacy. (L. Sink, "Jurors Decide Patient Privacy Was Invaded," Milwaukee Journal Sentinel, May 9, 2002) No matter how or why a disclosure of personal information is made, the harm to the individual is the same. In the face of industry evolution, the potential benefits of our changing health care system, and the real risks and occurrences of harm, protection of privacy must be built into the routine operations of our health care system.