Twenty-four women with HIV recently had sensitive medical data exposed due to a simple oversight.
To make matters worse, the women involved in the breach have yet to be notified, adding insult to injury in a breach that could easily have been avoided and quickly corrected.
Exposing sensitive HIV data
The women were participating in a study at the University of California San Diego (UCSD). All participants were HIV positive and had chosen not to begin treatment. The study was designed to uncover why the women had not sought treatment and why others might make the same choice.
With a clear objective to determine if factors like substance abuse, mental illness, trauma, or other serious issues played a role in these women’s decisions, UCSD made audio recordings of interviews and collected other sensitive information.
Unfortunately, the interviews and other information collected was stored at UCSD in a database designed to track routine, clinical information. By storing the data in this way, anyone using the database could access the study participant’s information.
One of the most troubling aspects of this case is the fact that UCSD was alerted to the breach, but chose to do nothing about it.
Jamila Stockman, the lead researcher for the study and associate professor at UCSD, discovered the data confidentiality problems early in the study. But, even after Stockman discovered the problems nothing was done to address the issues or alert the participants to the error.
Ultimately, Stockman canceled the study due to the data-breach issues, negating any conclusions that could have been drawn from the research.
The consequences of ignoring HIPAA
Even after repeated warnings, UCSD refused to protect study participants and their sensitive data.
Although the university’s failure to act was probably not malicious, they still chose to violate the confidentiality of a group of people with a sensitive condition. The study participants were in a vulnerable situation that could have easily been avoided.
No legal action has been taken by any of the study participants yet, but UCSD has opened itself up to the possibility of lawsuits or other legal consequences–the same situation any medical institution could be facing after a similar misstep.
Protecting your sensitive data
UCSD made a simple mistake. This same mistake could easily be made in many medical practices. But, rather than addressing the situation, fixing the database and alerting the study participants, UCSD chose to do nothing.
Don’t let a similar mistake cost you. Have a plan in place to address these types of issues or, better yet, prevent them from occurring in the first place.
Learn from UCSD’s missteps and ensure that your patients’ data is securely stored. We’re here to help you understand how to safely and effectively deal with patients’ Protected Health Information (PHI). Try our 7-day, Risk-Free trial today.