LANSING — A government contractor in Michigan violated the state’s data security policies in its handling of thousands of pages of information relating to people living with HIV, a state investigation has found.
The investigation concluded, however, that no state or federal laws were broken and that no individually identifiable private health information was disclosed to the public.
The findings of the investigation appear in a May 4 report by Matthew Rick, legal affairs director for the Michigan Department of Community Health. The American Independent first reported on the department’s investigation last month.
Michigan maintains a database with information about people who have been diagnosed as HIV-positive, their sexual and needle-sharing partners, and other information related to the state’s HIV programs.
According to Rick’s report, the violation occurred late last year when an employee of A.J. Boggs & Company — a subcontractor that provides technology services to MDCH — sent an unencrypted email attachment to the company’s CEO that included thousands of pages of health and demographic information from the state’s HIV database.
Because the email was sent to a non-state of Michigan address, it violated the department’s policy requiring “encrypting and password protecting a document that contains … sensitive or protected health information that is attached to e-mail sent outside the State’s firewall.”
According to Rick’s report, the email contained information on government and community agencies’ interactions with patients and their partners, including: “session identification numbers; identification numbers; agency names; dates of sessions; event names (but no names of people); format; intervention model; number of planned and attended sessions; risk group; race, sex, and age (but no dates of birth); fiscal year; funding; final test results; site type; client post-test; court-ordered test; number of contacts; partner identification number; spouse status; partner previous testing; and referrals and sources.”
The report stated that the information did not include “any individual’s names, addresses, telephone numbers, social security numbers, medical record numbers, account numbers, license numbers, internet protocol address numbers, or any other unique number, characteristic, or code that may identify an individual.” (The table headers, obtained by TAI through a Freedom of Information Act request, are available here.)
Rick’s report concludes that none of the information in the email was personally identifiable and that “there was no breach of unsecured protected health information that compromised the security or privacy of an individual’s protected health information.” But, he concluded, the information in the email nonetheless “could be characterized as ‘sensitive.’”
But some experts and activists TAI spoke to expressed concern that under certain circumstances, the information contained in the email could potentially be used to identify specific patients. In particular, they pointed to a table labeled “PCRS [partner counseling and referral services] Index 2008_2011.” This table contained information on the counseling of partners reported by people who tested positive for HIV, including their age, race, gender, and risk category. It also included the name of the county health department or community-based agency that performed the counseling.
Joshua Moore, an attorney who runs Detroit Legal Services and specializes in HIV legal issues, says he believes the email contained information one could use to identify specific individuals.
“While the information shared in the e-mails may have not been in violation of the law per se, it is alarming that the State of Michigan who is entrusted with this personal information is sharing it so carelessly,” Moore said. “They are entrusted to collect and protect this information which clearly they failed to do.”
And Moore is not alone. Peter Kronenberg, communications director for the National Assocation of People with AIDS, also expressed concern the information in the database could be used to identify people.
“We … view with concern the state’s belief that the information released did not carry personal IDs or other details that could be used to identify the individuals whose information was shared. The information shared ‘outside the state firewall’ had data fields for age, sex, race, HIV risk factor, and Hispanic ethnicity,” Kronenberg said. “If those data fields were populated in the data shared ‘outside the state firewall,’ they provided all the information needed to identify at least certain individuals in smaller communities. We call on HAPIS and the Michigan state government to take this situation seriously, develop and enforce better policies to protect sensitive health information, and redesign its data tables to reduce the risk of sharing personally identifiable data except as needed in special cases.”
Kronenberg further stated: “The apparently casual manner in which information was shared ‘outside the state firewall’ suggests a need for improved staff training in the need for confidentiality and specific policies to ensure it. HIV stigma can kill, and the state owes absolute confidentiality to the citizens whose HIV status it records. Even ‘inside the firewall,’ sensitive health information should be shared only on a strict need-to-know basis, and without personal identifiers except as needed in highly unusual circumstances.”
According to the Rick’s report, A.J. Boggs has since changed its practices and “now transports all data over secure systems.”