The first e-mail came at the end of June. It was from a doctor’s office in another state -- a large cardiology group. The note listed the name of a test. It listed the full name of the patient. It listed the full name of the doctor who treated that patient. It said the test was normal and provided a number that I could call for more information. Presumably, this was supposed to be good news. But it was someone else’s test result.
I’ve written before about the accidental voyeurism that can happen when you have a common e-mail address, and misaddressed notes to other people begin to stack up. I have both a common name and a common e-mail, and receiving and deleting notes from another Carolyn Johnson’s boyfriends, church groups, real estate clients, neighborhood watch groups, potential future employers, financial aid officers, and students has pretty much become a part of my daily routine. Recently, though, I’ve noticed a new kind of misrouted e-mails that seem less trivial than some of the other unwelcome missives that show up in my inbox. These are notes or test results from other people’s doctor’s offices.
The security of health information in the digital age is a big concern. Already, privacy and security loopholes have emerged, in situations that can range from laptops with patient information being stolen or lost, to the DNA information in research studies potentially being used to identify supposedly anonymous participants. Now, add this possible breach of privacy to the list: You or your doctor type in an e-mail address incorrectly. That could mean a stranger finds out your test result or learns that a specialist just uploaded a new file from your recent patient visit -- just by opening his or her inbox.
There is a federal law, called HIPAA, requiring that health care providers protect people’s health information. But in the age of digital health information and communication, my inbox offers anecdotal evidence that health information could very easily fall into the hands of someone else.
After the first e-mail arrived, I immediately e-mailed the cardiology doctor’s office back to alert them that they had disclosed personal health information -- a test result -- to the wrong person. I deleted the note.
I was shocked, because the information was personal and specific, and I couldn’t delete it from my memory. What if the real patient did not want the information to be disclosed to anyone else? What if the real patient didn’t even want anyone to know they had seen a specialist? There are many dozens of people with my name in the region this clinic served -- enough that calling them all to try and track down the real person to find out how they felt about private, personal medical information of a family member being inadvertently shared, was daunting.
The reply from the person at the clinic was simply as follows: “I apologize but this is the e-mail the patient hand wrote on his paperwork for us to send records to. I will remove this information from his file.”
Then, a few days ago, I received a series of e-mails from a midwifery practice, urging me to set up a password through one of those online health portals that have become increasingly common as doctors’ offices migrate from paper records into electronic medical records. A second e-mail, minutes later, indicated that a file had been uploaded about a medical visit. Again, I wrote to the practice, saying it had e-mailed the wrong person and noting that this appeared to be a serious security flaw in the system. The e-mail was prompting me to set up a password for an account that wasn’t mine, complete with a secure link to the webpage where I could do it. I didn’t probe further, but it seemed on its face that I could probably have logged into this account without verifying I really was the Carolyn Johnson they were trying to reach. Even if I couldn’t, I could easily surmise that someone with my name in a specific geographical region was pregnant -- a fact that the person may not have disclosed yet even to close family members or friends.
I described the situation to Dr. Michael Sherman, senior vice president and chief medical officer of Harvard Pilgrim Health Care, to get an outside perspective on whether this kind of information breach was serious or common. He was taken aback by what I described.
“Even an e-mail just saying, ‘We’re confirming your appointment,’ might not be innocuous if the physician specializes in AIDS, or you may not want a relative to know you’re seeing an OB,” Sherman said. “Even the fact you have an appointment with a specific doctor is too much information.”
Sherman noted that if such breaches of privacy occur, medical practices should notify a compliance officer within their practice of the violation. They should, he said, contact the family to let them know information had been shared, just as hospitals that have data breaches from a lost laptop alert their patients of possible privacy violation. Above all, he said, patients should not be receiving e-mails with personal health information directly in their inboxes; doctors’ offices should use online portals that simply notify patients they have a new message that they can securely sign in to receive.
“This whole information technology thing is one of the drivers behind practice consolidations; it’s one reason you can’t have two primary care docs hanging out the shingle and keeping up with all this stuff anymore,” Sherman said. “I think it’s fair to say the larger practices understand the consequences of HIPAA violations -- they’re scared of them. They also understand it would hurt their reputation with their patient community.”
On a final note, I’ve found the amount of back and forth required to correct this sort of mistake borders on the absurd. It doesn’t inspire confidence in the medical professionals who are supposedly on the hook for keeping patient privacy foremost.
Below are the last two (of 11) e-mails I exchanged with the latest clinic in an attempt to correct this problem -- after much back and forth.
Hi - You are emailing a Carolyn Johnson who lives in Massachusetts. I’m not pregnant. This is not the right patient, thus my concern about disclosing medical information to a stranger.