Patient protected health information (PHI) is extremely sensitive, especially diagnostic information. On Friday, Philadelphia Department of Public Health was informed that the PHI of individuals diagnosed with hepatitis B and C from 2013 to 2018, was available to the public on their website. A reporter discovered the incidents and informed the government agency. The exposed patient data was removed immediately upon the Department’s notification.
The information was uploaded to Tableau, a dashboard that allows businesses to input data to produce charts and images for the public. However, the Department failed to enable controls to mask the data, leaving the PHI of thousands of patients exposed on their website’s opioid data page. Hepatitis B and C are diseases commonly seen in intravenous drug users, which is why the data was accidentally made available on the Department’s opioid page.
Thomas Farley, Philadelphia’s health commissioner stated, “We deeply regret the inadvertent exposure of personal health information on our website. We will conduct a thorough investigation of this incident, attempt to determine if any confidential information was accessed by others, take appropriate corrective actions, and do everything we can to protect the privacy and security of personal information.”
Although it is unclear how long the data was visible online, and who may have viewed the information, PHI contained in the patient data included patient name, date of birth, gender, address, test results, some Social Security numbers, and health provider notes.
Protecting Patient Data
The Health Insurance Portability and Accountability Act (HIPAA) requires organizations working in healthcare to secure patient data.
The following safeguards are mandated to protect PHI:
- Administrative: are written policies and procedures that must be customized to apply to an organization’s business processes. All employees must be trained on an organization’s policies and procedures.
- Physical: refers to the security of an organization’s physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
- Technical: are cybersecurity measures that are put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.
Organizations that fail to implement administrative, physical, and technical safeguards that are subject to a HIPAA audit, would be found lacking and would be subject to HIPAA fines.
