A public-data tool built by the Philadelphia Department of Public Health to track the prevalence of hepatitis infections left individuals’ health records accessible, compromising the names, addresses, Social Security numbers, and intimate health records of thousands of people receiving medical care in Philadelphia.
The department learned of the breach Friday when an Inquirer reporter discovered the data and notified the department. It was not clear how long the information was exposed. The data were taken down minutes after the department was notified.
“We deeply regret the inadvertent exposure of personal health information on our website," said Thomas Farley, Philadelphia’s health commissioner. "We will conduct a thorough investigation of this incident, attempt to determine if any confidential information was accessed by others, take appropriate corrective actions, and do everything we can to protect the privacy and security of personal information.”
The department did not say whether it planned to notify all whose records were exposed. A city spokesperson said they were still investigating the scope of the incident and “cannot comment on specific actions” until more is learned.
The reports focused on positive test results for hepatitis B and C. Hepatitis is a viral infection that affects the liver and can cause cancer if left untreated. People may get hepatitis B from the bodily fluids of an infected person. Hepatitis C usually spreads only through blood-to-blood contact.
The viruses are often associated with intravenous drug use, which is why the department tracks them as part of its opioids initiative.
The data appeared to cover new diagnoses from 2013 to the end of 2018.
Hepatitis cases are required to be reported to health departments by medical providers. Though the health department had previously published static charts and images tracking hepatitis, it recently uploaded individual health records to Tableau, a tool that allows businesses and government agencies to publish databases online.
The tool is primarily intended to visualize data with charts and aggregated figures. However, authors of Tableau dashboards have to choose to keep the underlying data inaccessible. Otherwise, all data can be downloaded with several mouse clicks.
The reporter discovered the accessible data, which in one case included 23,000 individual records of new cases of hepatitis C. The newspaper did not download or preserve the data. Information included each patient’s name, gender, date of birth, address, and test results, and in some cases, Social Security numbers and notes by health providers.
It could not be determined how many people accessed the raw data. The dashboards with the data breaches were available on the department’s opioid data page, hosted on Tableau’s website.
It’s unclear what legal issues the breach poses. Robert Field, a health-care law expert at Drexel University, said it is unlikely that the federal law governing medical record privacy was at play, since the Health Insurance Portability and Accountability Act (HIPAA) largely applies to health-care providers and insurance companies, not government agencies.