LA Times
November 7, 2001
Web Mishap: Kids’ Psychological Files Posted
By CHARLES PILLER, TIMES STAFF WRITER
Detailed psychological records containing the innermost secrets of at least 62 children and teenagers were accidentally posted on the University of Montana Web site last week in one of the most glaring violations of privacy over the Internet.
The 400 pages of documents describe patient visits and offer diagnoses by therapists of mental retardation, depression, schizophrenia and other serious conditions.
In nearly all cases, they contain complete names, dates of birth and sometimes home addresses and schools attended, along with results of psychological testing. Unlike a medical file left open on a counter in a doctor’s office, these electronic medical records, once placed on the Internet, were exposed to a potentially vast audience. “You’re talking about sensitive information that could scar a child for life being available to anyone for any purpose,” said Evan Hendricks, editor of Privacy Times newsletter.
The mother of an 11-year-old, whose records of an attention deficit/hyperactivity disorder were posted on the university’s Web site, was appalled. “He’s just a kid, and he shouldn’t have his whole life splattered around for the whole world to know. It makes me sick,” she said.
The mother declined to be identified. She recalled attending her son’s therapy sessions and watched the therapist “taking notes in her book, and [I] thought maybe that was the extent of it. I guess I was kind of naive about that.”
The medical files were placed on the University of Montana Web site Oct. 29 and were available for eight days. The files were removed Monday after a local paper, the Missoulian, reported the story, university officials said. The records were for patients at clinics mainly in Minnesota, as well as in Montana and other states.
A University of Montana student or technical employee may have accidentally placed these private files on the Web site, officials said.
It is unclear how many people viewed these records.
The Montana case is the latest in a series of unauthorized disclosures of medical data over the Internet. Earlier this year, Eli Lilly & Co., maker of the antidepressant Prozac, inadvertently divulged the names and e-mail addresses of 600 psychiatric patients in a mass e-mail.
Similarly, Kaiser Permanente last year sent e-mails with confidential medical information to the wrong Kaiser members.
“That’s the danger with having all of these electronic records,” said Daniel B. Borenstein, a former president of the American Psychiatric Assn. and a UCLA professor.
“If you push the wrong button or put something in the wrong spot on your Web site, it [can mean] immediate distribution of a massive amount of private medical information,” Borenstein said.
Last year, a Nevada woman bought a used computer only to find that its previous owner, a drugstore, had left the pharmacy records of thousands of patients on the machine’s storage drive. But the buyer did not publicly disclose the records.
Also last year, a computer hacker broke into the medical records system at the University of Washington Medical Center and gained access to some 4,000 patient records—although these were not made public.
What sets the Montana incident apart is the youth of the patients, the amount of detail disclosed and its placement on a public Web site that allowed complete access to private records.
The detailed accounts by therapists reveal children suffering from all manner of emotional problems:
“[She] has ‘extreme mood swings’ and is very aggressive with her sisters and other children,” read one file about an 8-year-old girl diagnosed with autism and mental retardation. “She has been cruel to animals, … often refuses to eat and will make herself vomit.”
An 8-year-old boy was described as suffering from “anger outbursts, gender identity issues” and bed-wetting.
Raymond Ford, the University of Montana technology manager, said the incident is under investigation. “We have no evidence that this was malicious—all the evidence that we have suggests that the person who uploaded [the patient files] probably had no idea what [he was] doing,” he said.
But once the records were placed on the school’s Web server, a computer that manages its online files, they became available to Internet search engines and were visible to casual Web surfers who requested a keyword contained in a patient’s record.
For example, a search for “confidential” or “neuropsychological” turned up
dozens of these medical records. Those files could then be copied to the
computer of any visitor.
Therapists whose patients were involved were stunned by the lapse.
“I’m shocked. I have no idea how this can happen. Obviously, this information is confidential, and we go to great lengths to keep it confidential,” said Bonnie Carlson-Green, a psychologist at Children’s Hospital in St. Paul, Minn., the source of some of the patient records.
Ford said the university will attempt to tighten its Web security, but that it must depend on users’ vigilance and care to restrict private materials.
Medical records experts said the university has an ethical obligation to inform the patients’ parents.
“The least the [university] can do is contact the families and let them know that there was this error and the steps they’ve taken to correct it,” Borenstein said.
“There should be special privacy protections for all medical records, even more special protections for disclosure of any psychiatric records,” because of a real threat of discrimination against people whose treatment for mental illness becomes known, Borenstein said.
Borenstein fears that fewer people will seek treatment if they think their private information may be accidentally disclosed.
Many psychiatrists are so concerned about inappropriate electronic disclosure of medical reports that they write only cryptic comments in patient records, trusting the rest to memory, Borenstein said.
David Aronofsky, the University of Montana’s attorney, said accidental online releases of private legal or medical information are not unusual and are corrected quickly.
Patients and medical institutions have not been contacted about the release of these records. They will be contacted if it seems necessary, after the internal investigation is concluded, Aronofsky said. “We’re not understating the significance of what happened here, nor are we trying to cover it up,” he said.
Fiona Anderson, a University of Minnesota psychologist whose patient records were among those released online, said the records may have been removed against her institution’s rules.
“As things become more electronic and more easily accessed … edited and altered, it’s difficult for our ethical rules and guidelines to keep up with the technology,” she said.
But such victims of accidental disclosures face steep legal challenges to gain compensation, said Peter Swire, a law professor who was chief privacy counselor for the Clinton administration.
Part of the problem is new, more stringent federal standards for medical records privacy will not take effect until 2003, and state regulations vary widely.
Posting a private document online—no matter how injurious it may appear—can cause legal liability only if the victim can prove damages in court.
“What if one of the patients has something bad happen to him or her as a result of this disclosure—if they are turned down for a job later in life?” Swire said. “This is where you are open to a [legal] suit.”
As more medical records are stored digitally, routine electronic disclosure to insurers and health maintenance organizations has increasingly troubled some clinicians and privacy advocates, although such transfers are legal and often required for provider reimbursement.
Paul Appelbaum, president-elect of the American Psychiatric Assn., said patients should be given the option of having their information kept on paper.
A few health-care providers, such as the Harvard Pilgrim HMO, offer such an option.
The alternative for patients may be decreasing control over their medical histories.
Appelbaum added: “The mobility of electronic information is almost unlimited.”