LANSING — A government contractor in Michigan violated the state’s data security policies in its handling of thousands of pages of information relating to people living with HIV, a state investigation has found.
The investigation concluded, however, that no state or federal laws were broken and that no individually identifiable private health information was disclosed to the public.
The findings of the investigation appear in a May 4 report by Matthew Rick, legal affairs director for the Michigan Department of Community Health. The American Independent first reported on the department’s investigation last month.
Michigan maintains a database with information about people who have been diagnosed as HIV-positive, their sexual and needle-sharing partners, and other information related to the state’s HIV programs.
According to Rick’s report, the violation occurred late last year when an employee of A.J. Boggs & Company — a subcontractor that provides technology services to MDCH — sent an unencrypted email attachment to the company’s CEO that included thousands of pages of health and demographic information from the state’s HIV database.
Because the email was sent to a non-state of Michigan address, it violated the department’s policy requiring “encrypting and password protecting a document that contains … sensitive or protected health information that is attached to e-mail sent outside the State’s firewall.”
According to Rick’s report, the email contained information on government and community agencies’ interactions with patients and their partners, including: “session identification numbers; identification numbers; agency names; dates of sessions; event names (but no names of people); format; intervention model; number of planned and attended sessions; risk group; race, sex, and age (but no dates of birth); fiscal year; funding; final test results; site type; client post-test; court-ordered test; number of contacts; partner identification number; spouse status; partner previous testing; and referrals and sources.”
The report stated that the information did not include “any individual’s names, addresses, telephone numbers, social security numbers, medical record numbers, account numbers, license numbers, internet protocol address numbers, or any other unique number, characteristic, or code that may identify an individual.” (The table headers, obtained by TAI through a Freedom of Information Act request, are available here.)
Rick’s report concludes that none of the information in the email was personally identifiable and that “there was no breach of unsecured protected health information that compromised the security or privacy of an individual’s protected health information.” But, he concluded, the information in the email nonetheless “could be characterized as ‘sensitive.’”
But some experts and activists TAI spoke to expressed concern that under certain circumstances, the information contained in the email could potentially be used to identify specific patients. In particular, they pointed to a table labeled “PCRS [partner counseling and referral services] Index 2008_2011.” This table contained information on the counseling of partners reported by people who tested positive for HIV, including their age, race, gender, and risk category. It also included the name of the county health department or community-based agency that performed the counseling.
Joshua Moore, an attorney who runs Detroit Legal Services and specializes in HIV legal issues, says he believes the email contained information one could use to identify specific individuals.
“While the information shared in the e-mails may have not been in violation of the law per se, it is alarming that the State of Michigan who is entrusted with this personal information is sharing it so carelessly,” Moore said. “They are entrusted to collect and protect this information which clearly they failed to do.”
And Moore is not alone. Peter Kronenberg, communications director for the National Assocation of People with AIDS, also expressed concern the information in the database could be used to identify people.
“We … view with concern the state’s belief that the information released did not carry personal IDs or other details that could be used to identify the individuals whose information was shared. The information shared ‘outside the state firewall’ had data fields for age, sex, race, HIV risk factor, and Hispanic ethnicity,” Kronenberg said. “If those data fields were populated in the data shared ‘outside the state firewall,’ they provided all the information needed to identify at least certain individuals in smaller communities. We call on HAPIS and the Michigan state government to take this situation seriously, develop and enforce better policies to protect sensitive health information, and redesign its data tables to reduce the risk of sharing personally identifiable data except as needed in special cases.”
Kronenberg further stated: “The apparently casual manner in which information was shared ‘outside the state firewall’ suggests a need for improved staff training in the need for confidentiality and specific policies to ensure it. HIV stigma can kill, and the state owes absolute confidentiality to the citizens whose HIV status it records. Even ‘inside the firewall,’ sensitive health information should be shared only on a strict need-to-know basis, and without personal identifiers except as needed in highly unusual circumstances.”
According to the Rick’s report, A.J. Boggs has since changed its practices and “now transports all data over secure systems.”
Signs and sypomtmsThe sypomtms of HIV and AIDS vary, depending on the phase of infection. When first infected with HIV, you may have no sypomtms at all, although it’s more common to develop a brief flu-like illness two to six weeks after becoming infected. But because the signs and sypomtms of an initial infection — which may include fever, headache, sore throat, swollen lymph glands and rash — are similar to those of other diseases, you might not realize you’ve been infected with HIV.Even if you don’t have sypomtms, you’re still able to transmit the virus to others. Once the virus enters your body, your own immune system also comes under attack. The virus multiplies in your lymph nodes and slowly begins to destroy your helper T cells (CD4 lymphocytes) — the white blood cells that coordinate your entire immune system.You may remain symptom-free for eight or nine years or more. But as the virus continues to multiply and destroy immune cells, you may develop mild infections or chronic sypomtms such as:Swollen lymph nodes — often one of the first signs of HIV infectionDiarrheaWeight lossFeverCough and shortness of breathDuring the last phase of HIV — which occurs approximately 10 or more years after the initial infection — more serious sypomtms may begin to appear, and the infection may then meet the official definition of AIDS. In 1993, the Centers for Disease Control and Prevention (CDC) redefined AIDS to mean the presence of HIV infection as shown by a positive HIV-antibody test plus at least one of the following:The development of an opportunistic infection — an infection that occurs when your immune system is impaired — such as Pneumocystis carinii pneumonia (PCP)A CD4 lymphocyte count of 200 or less — a normal count ranges from 600 to 1,000By the time AIDS develops, your immune system has been severely damaged, making you susceptible to opportunistic infections. The signs and sypomtms of some of these infections may include:Soaking night sweatsShaking chills or fever higher than 100 F for several weeksDry cough and shortness of breathChronic diarrheaPersistent white spots or unusual lesions on your tongue or in your mouthHeadachesBlurred and distorted visionWeight lossYou may also begin to experience signs and sypomtms of later stage HIV infection itself, such as:Persistent, unexplained fatigueSoaking night sweatsShaking chills or fever higher than 100 F for several weeksSwelling of lymph nodes for more than three monthsChronic diarrheaPersistent headachesIf you’re infected with HIV, you’re also more likely to develop certain cancers, especially Kaposi’s sarcoma, cervical cancer and lymphoma, although improved treatments have reduced the risk of these illnesses.Symptoms of HIV in childrenChildren who are HIV-positive often fail to gain weight or grow normally. As the disease progresses, they may have difficulty walking or delayed mental development. In addition to being susceptible to the same opportunistic infections that adults are, children may have severe forms of common childhood illnesses such as ear infections (otitis media), pneumonia and tonsillitis.
can u pls help me think i got it 2 n its a pain havng it its getting ennnyog n i think its getting wrost idk wat 2 do i havnt tell a doctor or my mom.. im 14 ugh