Mass email by Dent Neurologic inadvertently breaches privacy of 10,200 patients

Melinda Miller and Stephen Watson report:

Confidential information about more than 10,200 patients of Dent Neurologic Institute was inadvertently sent to more than 200 patients Monday in an email attachment.

The personal information – including patients’ names and home addresses, their doctors’ names, last appointment dates and their email addresses – was contained on an Excel patient spreadsheet.

The data does not include specific information about the patients’ medical conditions, birth dates or Social Security numbers, according to Dent, which attributed the privacy breach to “human error.”

Read more on Buffalo News.  WGRZ also covers the breach.

A substitute notice on DNI’s web site says:

PRESS RELEASE

Clerical Error Results in Mistaken Distribution of List by Dent Neurologic InstituteMay 14, 2013

The Dent Neurologic Institute (DNI) today disclosed that a clerical error yesterday (May 13, 2013) afternoon resulted in the accidental e-mail distribution of a list containing names and non-clinical information to approximately 200 Dent patients. The list did not contain any medical diagnoses, social security numbers, financial information, date of birth or contact phone numbers.  This list is soley used for the purpose of practice updates and educational events and to inform patients and referring physicians.

According to DNI CEO Joseph Fritz, the error was discovered just after it occurred on Monday afternoon and DNI personnel immediately began calling each of the 200 people who received the list and advised them the information was mistakenly sent to them, it was not intended for them and asked them to delete the email from their computers. As of Tuesday afternoon (May 14), all of the 200 individuals who received the e-mail, have been contacted.

The list contained the following information:

Name
Address
Active/Former Patient
Last Appointment
Scheduling Code
Primary Physician
Referring Physician
E-mail address

“We are very sorry this happened and we deeply apologize to all of our patients, referring physicians and WNY healthcare partners,” Fritz said. “Patient confidentiality is extremely important in our field and we take it very seriously and we will review how this accident happened so we can take steps to minimize the possibilities it could ever happen again. This is an inexcusable event.”

Fritz said the list was mistakenly attached to a routine e-mail that was being sent to patients by a clerk in the DNI administrative office.  “This was a case of human error and the person involved is a dedicated, long-term employee and there was absolutely no malice involved, but that doesn’t excuse it,” he said.

Fritz said DNI has self-reported the event to the New York State Department of Health and take whatever steps the state requires. In addition, DNI will send a letter of apology and explanation to all 10,000 patients and their referring physicians, whose names were on the list.

Patients who have questions are asked to call the Dent Neurologic Institute at 716-250-2000.

There are those who will likely think, “This could have been worse” in terms of the types of information exposed. But given the specialty nature of the facility as a neurological institute, just being identified as having been or being a patient there might be cause for concern for some patients who do not want others know that they have been seen for a possible neurological problem. Would a political candidate want it known? Would someone fear their employer might start asking questions? Was a patient keeping a secret from their family and friends?

Most breaches have  the potential to harm patients, even those that do not include diagnostic codes, treatment codes, or Social Security numbers.  This one strikes me as no different.

About the author: Dissent