Philadelphia hepatitis data exposure posed ‘no risk to confidentiality’ because of Inquirer notification, city says
The city and CDC concluded patient medical records were not compromised in a breach discovered in October. The Inquirer notified the city before others could access the data.
/arc-anglerfish-arc2-prod-pmn.s3.amazonaws.com/public/JSGXBLMSDRDUDP73F7CJBILOEE.jpg)
The medical records of thousands of Philadelphians were not compromised, the city said, after The Inquirer notified the city’s Health Department of a data breach that attached positive hepatitis test results with intimate personal details.
This finding comes after an investigation by the city’s Public Health Department and a team with the Centers for Disease Control and Prevention concluded that an Inquirer reporter was the only person to see the records before notifying the department of the breach.
The reporter found the records on a public data tool built by the health department in October, shortly after the hepatitis records were posted. Minutes after being notified by The Inquirer of the exposed records, the department deleted them. As such, “there was no risk to confidentiality," said Jim Garrow, health department spokesperson.
Patients will not be notified.
Garrow said the exposure was an “oversight by an employee” who did not understand that posted data contained personally identifiable information.
The records were part of a database built by the department to track hepatitis infections in aggregate rather than particular cases. But the department receives records with personally identifiable information from health-care providers around the city. That information was never removed and was uploaded to Tableau, a tool for publishing databases online.
Personal information will be cut from those databases going forward, Garrow said, following a visit by a team from the CDC that made recommendations to prevent similar exposures in the future.
The records were comprised of positive test results for hepatitis B and C, viruses that are often transmitted via intravenous drug use. The reports containing the records were linked through department’s opioid data page.
The city determined that the reporter was the sole person who encountered the raw data after consulting with Tableau, which had records of which computers had accessed the data. The company confirmed that no other computers accessed the data other than those of the city government and The Inquirer. The newspaper did not preserve copies of the records.
The records in question were specific and intimate. One of the first few positive tests listed in the data set linked a woman’s name, race and date of birth to notes that said the hepatitis screening was performed due to her pregnancy, then in its first trimester. The records also included the Social Security numbers of patients in some cases.
Had the records been compromised, there would have been significant consequences, one expert said.
“As breaches go, it’s pretty bad," said I. Glenn Cohen, faculty director of Harvard University’s Petrie-Flom Center on Health Law Policy, Biotechnology and Bioethics. “Imagine how family or romantic partners might react to seeing someone’s name on the list.”
The city said the records were not protected under the Health Insurance Portability and Accountability Act, a federal law that imposes strict data privacy standards on health-care providers and insurance agencies. The health department said the data was not used by a so-called “covered unit” subject to HIPAA.