Agency discovers private patient information on Internet

All it took was a quick Internet search to yield private medical information on more than two dozen Rio Grande Valley children.

Until Thursday, the Web site of a children's rehabilitation clinic had a link to spreadsheets containing the full names, phone numbers and insurance status of about 25 patients.

The information was in a backup folder linked to the Web site, not on the site's main page. But a link to the data pops up in a search using Google.

An employee at a federal health agency discovered the information during a routine Internet search, and tried to alert the clinic, as well as a reporter.

Posting medical information online, unless patients have consented, is likely a violation of federal privacy protections in the Health Insurance Portability and Accountability Act of 1996, according to experts.

HIPAA restricts access to "individually identifiable health information," including any health information that is tied to the person's name, Social Security number or birth date. Under HIPAA rules, a health care provider can only release medical information under certain circumstances, and not to the public unless the patient consents.

The clinic, New Beginnings Children's Therapy, removed the spreadsheets from its Web server Thursday. Office manager Claudia Flores said she didn't realize the information was posted to the site or accessible to the public. The clinic had hired a company to back up some of its files back in 2005, Flores said.

"We need to fix that - we don't want to violate any (laws)," Flores said Thursday.

According to a time stamp on the site, the data was posted in December 2005, meaning the data might have been accessible for more than two years.

Ruth Medina, whose daughter's medical information appears in the spreadsheet, said she was upset that the data was publicly available for a time.

"It's very wrong, even if it was accidental," Medina said. "It's confidential information."

Unintentional violations of medical-privacy laws actually happen frequently - not just to clinics and doctor's offices but to renowned hospitals and large universities, said James Hodge Jr., executive director of the Center for Law and the Public's Health at Johns Hopkins University.

"There have been lots of examples during the last 10 years," Hodge said. "It could be a lack of understanding about the law, or it could be just human error."

In 2002, officials at the University of Pittsburgh Medical Center admitted fault after a physician included the names and Social Security numbers of 80 patients, without their consent, in a presentation at a symposium. The information also was posted on a Web site.

A 2006 survey by the Healthcare Information and Management Systems Society found that 22 percent of health care providers aren't complying with HIPAA privacy rules. Even compliant providers still sometimes have privacy breaches, the survey says.

The University of Montana and the University of Michigan Medical Center also have inadvertently posted patient data on public Web sites in the past.

The U.S. Department of Health and Human Services can impose fines of up to $25,000 on providers who violate privacy rules. However, the agency rarely imposes these fines, according to experts, if the provider hasn't willfully neglected the law and has corrected the problem.

Hodge said it was "alarming" to see patient data on the Brownsville clinic's Web site. Providers need to be careful to guard medical information, he said.

"This type of data, in the wrong person's hands, can lead to serious consequences," he said.