Saturday, March 10, 2007

Breach of Confidential HIV Data Reported

The very useful resource Kaiser Daily HIV/AIDS Reports had this item recently:
The California Department of Health Services last week inadvertently revealed the names and addresses of up to 53 residents enrolled in the state's AIDS Drug Assistance Program by mailing benefit notification letters to the incorrect ADAP members, department officials said Friday, the Los Angeles Times reports. According to Sandra Shewry, director of the department, a newly hired clerk did not realize that each letter was personally addressed and put the 54 letters into envelopes. The clerk then attached 54 preprinted mailing labels to the envelopes, according to Shewry. At least one letter was placed in the correct envelope, according to the Times. The letters were sent to people in 16 counties, including Los Angeles, Orange, Riverside and San Diego. The letters also included Medicare Part D plan names and premium payment amounts but not Social Security numbers, medical record numbers or other confidential information. According to Shewry, the department learned of the mistake after 12 people called to say they had received letters addressed to someone else. Many of the callers were concerned they had not been approved for benefits, according to Kevin Reilly, director of prevention services (Engel, Los Angeles Times, 3/3). The clerk who made the error has been reassigned, according to Shewry (Feder Ostrov, San Jose Mercury News, 3/3). The department on Friday through certified mail informed the ADAP enrollees of the error and asked that incorrectly addressed letters be destroyed. It also notified the California Highway Patrol, as is required under state law for security breaches. According to the Times, the error comes after the California Legislature last year changed the state's HIV reporting system from a code-based system to a names-based system (Los Angeles Times, 3/3).

REACTION
Shewry said the department has a "no-excuses, zero-tolerance policy" regarding infringements of patients' privacy, adding that the error is "extremely regrettable." Shewry said the agency would take steps, such as using envelopes with address windows, to ensure a similar mistake does not happen again (San Jose Mercury News, 3/3). Shewry said the department is "investigating and interviewing all the employees who are involved in the chain of command" that led to the error. Jeff Bailey, director of client services for AIDS Project Los Angeles, said he hopes the error is an "anomaly." Bailey added, "I would not want to give way to panic about this release. It did not go to random citizens of the state, where this information might be shared with someone outside the HIV and AIDS circle." Lori Yeghiayan, spokesperson for AIDS Healthcare Foundation, said that the error is "unfortunate" but that it does not signal a systemwide failure (Los Angeles Times, 3/3).
Well, isn't that special? From 2004-2006 when I was on the board of directors of an organization (one of the very few AIDS organization in the the state to do so) that opposed California's switch to reporting HIV infections using name-based data instead of by alpha numerical code I was told repeatedly that "there had never been a serious breach of confidential HIV data in the state of California" and that it was very unlikely there ever would be one.

What strikes me as poignant in the news reports of the latest breach of confidential personal data in California (there have been others, those just have not usually been HIV/AIDS specific) is 1) The employee who made the error was only reassigned, not terminated; and 2) Why the heck is the California Highway Patrol the state agency responsible for policing confidentiality breaches?

No comments:

LinkWithin

Blog Widget by LinkWithin